Efficient identity-based key encapsulation to multiple parties

We introduce the concept of identity based key encapsulation to multiple parties (mID-KEM), and define a security model for it. This concept is the identity based analogue of public key KEM to multiple parties. We also analyse possible mID-KEM constructions, and propose an efficient scheme based on bilinear pairings. We prove our scheme secure in the random oracle model under the Gap Bilinear Diffie-Hellman assumption.Fundação para a Ciência e a Tecnologia - SFRH/BPD/20528/2004

Generic Constructions of Identity-Based and Certificateless KEMs

We extend the concept of key encapsulation mechanisms to the primitives of ID-based and certificateless encryption. We show that the natural combination of ID-KEMs or CL-KEMs with data encapsulation mechanisms results in encryption schemes which are secure in a strong sense. In addition, we give generic constructions of ID-KEMs and CL-KEMs, as well as specific instantiations, which are provably secure

Anonymity-Preserving Public-Key Encryption: A Constructive Approach

Abstract. A receiver-anonymous channel allows a sender to send a message to a receiver without an adversary learning for whom the message is intended. Wireless broadcast channels naturally provide receiver anonymity, as does multi-casting one message to a receiver population containing the intended receiver. While anonymity and confidentiality appear to be orthogonal properties, making anonymous communication confidential is more involved than one might expect, since the ciphertext might reveal which public key has been used to encrypt. To address this problem, public-key cryptosystems with enhanced security properties have been proposed. We investigate constructions as well as limitations for preserving receiver anonymity when using public-key encryption (PKE). We use the constructive cryptography approach by Maurer and Renner and interpret cryptographic schemes as constructions of a certain ideal resource (e.g. a confidential anonymous channel) from given real resources (e.g. a broadcast channel). We define appropriate anonymous communication resources and show that a very natural resource can be constructed by using a PKE scheme which fulfills three properties that appear in cryptographic literature (IND-CCA, key-privacy, weak robustness). We also show that a desirable stronger variant, preventing the adversary from selective “trial-deliveries ” of messages, is unfortunately unachievable by any PKE scheme, no matter how strong. The constructive approach makes the guarantees achieved by applying a cryptographic scheme explicit in the constructed (ideal) resource; this specifies the exact requirements for the applicability of a cryptographic scheme in a given context. It also allows to decide which of the existing security properties of such a cryptographic scheme are adequate for the considered scenario, and which are too weak or too strong. Here, we show that weak robustness is necessary but that so-called strong robustness is unnecessarily strong in that it does not construct a (natural) stronger resource

FAN1 modifies Huntington's disease progression by stabilising the expanded HTT CAG repeat

Huntington's disease (HD) is an inherited neurodegenerative disease caused by an expanded CAG repeat in the HTT gene. CAG repeat length explains around half of the variation in age-at-onset, but genetic variation elsewhere in the genome accounts for a significant proportion of the remainder. Genome-wide association studies have identified a bidirectional signal on chromosome 15, likely underlain by FAN1 (FANCD2 and FANCI Associated Nuclease 1), a nuclease involved in DNA interstrand cross link repair. Here we show that increased FAN1 expression is significantly associated with delayed age-at-onset and slower progression of HD suggesting FAN1 is protective in the context of an expanded HTT CAG repeat. FAN1 overexpression in human cells reduces CAG repeat expansion in exogenously expressed mutant HTT exon 1, and in patient-derived stem cells and differentiated medium spiny neurons, FAN1 knockdown increases CAG repeat expansion. The stabilising effect is FAN1 concentration and CAG repeat length dependent. We show that FAN1 binds to the expanded HTT CAG repeat DNA and its nuclease activity is not required for protection against CAG repeat expansion. These data shed new mechanistic insights into how the genetic modifiers of HD act to alter disease progression, and show that FAN1 affects somatic expansion of the CAG repeat through a nuclease-independent mechanism. This provides new avenues for therapeutic interventions in HD and potentially other triplet repeat disorders

池田婚姻願（宮内大臣宛様式）

The heat shock response (HSR) is a mechanism to cope with proteotoxic stress by inducing the expression of molecular chaperones and other heat shock response genes. The HSR is evolutionarily well conserved and has been widely studied in bacteria, cell lines and lower eukaryotic model organisms. However, mechanistic insights into the HSR in higher eukaryotes, in particular in mammals, are limited. We have developed an in vivo heat shock protocol to analyze the HSR in mice and dissected heat shock factor 1 (HSF1)-dependent and-independent pathways. Whilst the induction of proteostasis-related genes was dependent on HSF1, the regulation of circadian function related genes, indicating that the circadian clock oscillators have been reset, was independent of its presence. Furthermore, we demonstrate that the in vivo HSR is impaired in mouse models of Huntington's disease but we were unable to corroborate the general repression of transcription that follows a heat shock in lower eukaryotes

Strengthening Access Control Encryption

Access control encryption (ACE) was proposed by Damgård et al. to enable the control of information flow between several parties according to a given policy specifying which parties are, or are not, allowed to communicate. By involving a special party, called the sanitizer, policy-compliant communication is enabled while policy-violating communication is prevented, even if sender and receiver are dishonest. To allow outsourcing of the sanitizer, the secrecy of the message contents and the anonymity of the involved communication partners is guaranteed. This paper shows that in order to be resilient against realistic attacks, the security definition of ACE must be considerably strengthened in several ways. A new, substantially stronger security definition is proposed, and an ACE scheme is constructed which provably satisfies the strong definition under standard assumptions. Three aspects in which the security of ACE is strengthened are as follows. First, CCA security (rather than only CPA security) is guaranteed, which is important since senders can be dishonest in the considered setting. Second, the revealing of an (unsanitized) ciphertext (e.g., by a faulty sanitizer) cannot be exploited to communicate more in a policy-violating manner than the information contained in the ciphertext. We illustrate that this is not only a definitional subtlety by showing how in known ACE schemes, a single leaked unsanitized ciphertext allows for an arbitrary amount of policy-violating communication. Third, it is enforced that parties specified to receive a message according to the policy cannot be excluded from receiving it, even by a dishonest sender

FAN1 modifies Huntington's disease progression by stabilising the expanded HTT CAG repeat

Huntington’s disease (HD) is an inherited neurodegenerative disease caused by an expanded CAG repeat in the HTT gene. CAG repeat length explains around half of the variation in age-at-onset, but genetic variation elsewhere in the genome accounts for a significant proportion of the remainder. Genome-wide association studies have identified a bidirectional signal on chromosome 15, likely underlain by FAN1 (FANCD2 and FANCI Associated Nuclease 1), a nuclease involved in DNA interstrand cross link repair. Here we show that increased FAN1 expression is significantly associated with delayed age-at-onset and slower progression of HD suggesting FAN1 is protective in the context of an expanded HTT CAG repeat. FAN1 overexpression in human cells reduces CAG repeat expansion in exogenously expressed mutant HTT exon 1, and in patient-derived stem cells and differentiated medium spiny neurons, FAN1 knockdown increases CAG repeat expansion. The stabilising effect is FAN1 concentration and CAG repeat length dependent. We show that FAN1 binds to the expanded HTT CAG repeat DNA and its nuclease activity is not required for protection against CAG repeat expansion. These data shed new mechanistic insights into how the genetic modifiers of HD act to alter disease progression, and show that FAN1 affects somatic expansion of the CAG repeat through a nuclease-independent mechanism. This provides new avenues for therapeutic interventions in HD and potentially other triplet repeat disorders

Security Definitions For Hash Functions: Combining UCE and Indifferentiability

Hash functions are one of the most important cryptographic primitives, but their desired security properties have proven to be remarkably hard to formalize. To prove the security of a protocol using a hash function, nowadays often the random oracle model (ROM) is used due to its simplicity and its strong security guarantees. Moreover, hash function constructions are commonly proven to be secure by showing them to be indifferentiable from a random oracle when using an ideal compression function. However, it is well known that no hash function realizes a random oracle and no real compression function realizes an ideal one. As an alternative to the ROM, Bellare et al. recently proposed the notion of universal computational extractors (UCE). This notion formalizes that a family of functions ``behaves like a random oracle\u27\u27 for ``real-world\u27\u27 protocols while avoiding the general impossibility results. However, in contrast to the indifferentiability framework, UCE is formalized as a multi-stage game without clear composition guarantees. As a first contribution, we introduce context-restricted indifferentiability (CRI), a generalization of indifferentiability that allows us to model that the random oracle does not compose generally but can only be used within a well-specified set of protocols run by the honest parties, thereby making the provided composition guarantees explicit. We then show that UCE and its variants can be phrased as a special case of CRI. Moreover, we show how our notion of CRI leads to generalizations of UCE. As a second contribution, we prove that the hash function constructed by Merkle-Damgard satisfies one of the well-known UCE variants, if we assume that the compression function satisfies one of our generalizations of UCE, basing the overall security on a plausible assumption. This result further validates the Merkle-Damgard construction and shows that UCE-like assumptions can serve both as a valid reference point for modular protocol analyses, as well as for the design of hash functions, linking those two aspects in a framework with explicit composition guarantees

OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks

Password-Authenticated Key Exchange (PAKE) protocols allow two parties that only share a password to establish a shared key in a way that is immune to offline attacks. Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords. Unfortunately, current aPAKE protocols (that dispense with the use of servers\u27 public keys) allow for pre-computation attacks that lead to the instantaneous compromise of user passwords upon server compromise, thus forgoing much of the intended aPAKE security. Indeed, these protocols use - in essential ways - deterministic password mappings or use random salt transmitted in the clear from servers to users, and thus are vulnerable to pre-computation attacks. We initiate the study of Strong aPAKE protocols that are secure as aPAKE\u27s but are also secure against pre-computation attacks. We formalize this notion in the Universally Composable (UC) settings and present two modular constructions using an Oblivious PRF as a main tool. The first builds a Strong aPAKE from any aPAKE (which in turn can be constructed from any PAKE [GMR\u2706]) while the second builds a Strong aPAKE from any authenticated key-exchange protocol secure against reverse impersonation (a.k.a. KCI). Using the latter transformation, we show a practical instantiation of a UC-secure Strong aPAKE in the Random Oracle model. The protocol ( OPAQUE ) consists of 2 messages (3 with mutual authentication), requires 3 and 4 exponentiations for server and client, respectively (2 to 4 of which can be fixed-base depending on optimizations), provides forward secrecy, is PKI-free, supports user-side hash iterations, has a built-in facility for password-based storage and retrieval of secrets and credentials, and accommodates a user-transparent server-side threshold implementation

Fast Message Franking: From Invisible Salamanders to Encryptment

Message franking enables cryptographically verifiable reporting of abusive content in end-to-end encrypted messaging. Grubbs, Lu, and Ristenpart recently formalized the needed underlying primitive, what they call compactly committing authenticated encryption (AE), and analyzed the security of a number of approaches. But all known secure schemes are still slow compared to the fastest standard AE schemes. For this reason Facebook Messenger uses AES-GCM for franking of attachments such as images or videos. We show how to break Facebook’s attachment franking scheme: a malicious user can send an objectionable image to a recipient but that recipient cannot report it as abuse. The core problem stems from use of fast but non-committing AE, and so we build the fastest compactly committing AE schemes to date. To do so we introduce a new primitive, called encryptment, which captures the essential properties needed. We prove that, unfortunately, schemes with performance profile similar to AES-GCM won’t work. Instead, we show how to efficiently transform Merkle-Damgärd-style hash functions into secure encryptments, and how to efficiently build compactly committing AE from encryptment. Ultimately our main construction allows franking using just a single computation of SHA-256 or SHA-3. Encryptment proves useful for a variety of other applications, such as remotely keyed AE and concealments, and our results imply the first single-pass schemes in these settings as well