Simulation-Based Bi-Selective Opening Security for Public Key Encryption

Selective opening attacks (SOA) (for public-key encryption, PKE) concern such a multi-user scenario, where an adversary adaptively corrupts some fraction of the users to break into a subset of honestly created ciphertexts, and tries to learn the information on the messages of some unopened (but potentially related) ciphertexts. Until now, the notion of selective opening attacks is only considered in two settings: sender selective opening (SSO), where part of senders are corrupted and messages together with randomness for encryption are revealed; and receiver selective opening (RSO), where part of receivers are corrupted and messages together with secret keys for decryption are revealed. In this paper, we consider a more natural and general setting for selective opening security. In the setting, the adversary may adaptively corrupt part of senders and receivers \emph{simultaneously}, and get the plaintext messages together with internal randomness for encryption and secret keys for decryption, while it is hoped that messages of uncorrupted parties remain protected. We denote it as Bi-SO security since it is reminiscent of Bi-Deniability for PKE. We first formalize the requirement of Bi-SO security by the simulation-based (SIM) style, and prove that some practical PKE schemes achieve SIM-Bi-$\text{SO}$-CCA security in the random oracle model. Then, we suggest a weak model of Bi-SO security, denoted as SIM-wBi-$\text{SO}$-CCA security, and argue that it is still meaningful and useful. We propose a generic construction of PKE schemes that achieve SIM-wBi-$\text{SO}$-CCA security in the standard model and instantiate them from various standard assumptions. Our generic construction is built on a newly presented primitive, namely, universal$_{\kappa}$ hash proof system with key equivocability, which may be of independent interest

Anonymous Public Key Encryption under Corruptions

Anonymity of public key encryption (PKE) requires that, in a multi-user scenario, the PKE ciphertexts do not leak information about which public keys are used to generate them. Corruptions are common threats in the multi-user scenario but anonymity of PKE under corruptions is less studied in the literature. In TCC 2020, Benhamouda et al. first provide a formal characterization for anonymity of PKE under a specific type of corruption. However, no known PKE scheme is proved to meet their characterization. To the best of our knowledge, all the PKE application scenarios which require anonymity also require confidentiality. However, in the work by Benhamouda et al., different types of corruptions for anonymity and confidentiality are considered, which can cause security pitfalls. What\u27s worse, we are not aware of any PKE scheme which can provide both anonymity and confidentiality under the same types of corruptions. In this work, we introduce a new security notion for PKE called ANON-RSO$_k\&$C security, capturing anonymity under corruptions. We also introduce SIM-RSO$_k\&$C security which captures confidentiality under the same types of corruptions. We provide a generic framework of constructing PKE scheme which can achieve the above two security goals simultaneously based on a new primitive called key and message non-committing encryption (KM-NCE). Then we give a general construction of KM-NCE utilizing a variant of hash proof system (HPS) called Key-Openable HPS. We also provide Key-Openable HPS instantiations based on the matrix decisional Diffie-Hellman assumption. Therefore, we can obtain various concrete PKE instantiations achieving the two security goals in the standard model with compact ciphertexts. Furthermore, for some PKE instantiation, its security reduction is tight

Asymmetric Group Message Franking: Definitions & Constructions

As online group communication scenarios become more and more common these years, malicious or unpleasant messages are much easier to spread on the internet. Message franking is a crucial cryptographic mechanism designed for content moderation in online end-to-end messaging systems, allowing the receiver of a malicious message to report the message to the moderator. Unfortunately, the existing message franking schemes only consider 1-1 communication scenarios. In this paper, we systematically explore message franking in group communication scenarios. We introduce the notion of asymmetric group message franking (AGMF), and formalize its security requirements. Then, we provide a framework of constructing AGMF from a new primitive, called $\text{HPS-KEM}^{\rm{\Sigma}}$. We also give a construction of $\text{HPS-KEM}^{\rm{\Sigma}}$ based on the DDH assumption. Plugging the concrete $\text{HPS-KEM}^{\rm{\Sigma}}$ scheme into our AGMF framework, we obtain a DDH-based AGMF scheme, which supports message franking in group communication scenarios

Streptococcus pneumoniae and Haemophilus influenzae type b carriage in Chinese children aged 12–18 months in Shanghai, China: a cross-sectional study

Abstract Background The bacteria Streptococcus pneumoniae (pneumococcus) and Haemophilus influenzae type b (Hib) are leading causes of childhood pneumonia and meningitis and are major contributors to worldwide mortality in children younger than 5 years of age. Asymptomatic nasopharyngeal carriage of pneumococcus and Hib was determined for healthy children in Shanghai in 2009. Methods Children from 5 immunization clinics were enrolled in this study. Specimens from the nasopharynx were collected and cultured in Columbia and chocolate agar to identify pneumococcal and Hib carriage. Pneumococcal specimens were serotyped with the Neufeld test, and antibiotic resistance for pneumococcal and Hib specimens used the E-test method. Significance of risk factors for carriage was assessed through chi-square tests. Results Among 614 children, 16.6 % had pneumococcal carriage and 8.0 % Hib carriage. The predominant serotype of pneumococcus that was isolated was 19 F (52.9 %); serotype coverage was 68.6 % for both 7-valent pneumococcal conjugate vaccine (PCV) and PCV-10, and 82.3 % for PCV-13. Household residency and father’s education were both significantly related to pneumococcal and Hib carriage. The majority of S. pneumoniae isolates were sensitive to most antimicrobials but there were high levels of resistance to azithromycin (51.0 %) and erythromycin (51.0 %). Haemophilus influenzae isolates were sensitive to almost all antimicrobials tested although 12.2 % of isolates were resistant to ampicillin. Conclusions The pneumococcal and Hib vaccines require payment, and the children with the highest burden of disease may not be receiving these vaccines. Moreover, the presence of high antibiotic susceptibility towards pneumococcus, and to a lesser extent towards Hib, underscores the need for preventive protection against these diseases. Public funding of pneumococcal and Hib vaccines would be one mechanism to increase uptake of these vaccines.http://deepblue.lib.umich.edu/bitstream/2027.42/134553/1/12879_2016_Article_1485.pd

Simulation-Based Selective Opening Security for Receivers under Chosen-Ciphertext Attacks

Security against selective opening attack (SOA) for receivers requires that in a multi-user setting, even if an adversary has access to all ciphertexts, and adaptively corrupts some fraction of the users to obtain the decryption keys corresponding to some of the ciphertexts, the remaining (potentially related) ciphertexts retain their privacy. In this paper, we study simulation-based selective opening security for receivers of public key encryption (PKE) schemes under chosen-ciphertext attacks (RSIM-SO-CCA). Concretely, we first show that some known PKE schemes meet RSIM-SO-CCA security. Then, we introduce the notion of master-key SOA security for identity-based encryption (IBE), and extend the Canetti-Halevi-Katz (CHK) transformation to show generic PKE constructions achieving RSIM-SO-CCA security. Finally, we show how to construct an IBE scheme achieving master-key SOA security

Hedged Nonce-Based Public-Key Encryption: Adaptive Security under Randomness Failures

Nowadays it is well known that randomness may fail due to bugs or deliberate randomness subversion. As a result, the security of traditional public-key encryption (PKE) cannot be guaranteed any more. Currently there are mainly three approaches dealing with the problem of randomness failures: deterministic PKE, hedged PKE, and nonce-based PKE. However, these three approaches only apply to different application scenarios respectively. Since the situations in practice are dynamic and very complex, it\u27s almost impossible to predict the situation in which a scheme is deployed, and determine which approach should be used beforehand. In this paper, we initiate the study of hedged security for nonce-based PKE, which adaptively applies to the situations whenever randomness fails, and achieves the best-possible security. Specifically, we lift the hedged security to the setting of nonce-based PKE, and formalize the notion of chosen-ciphertext security against chosen-distribution attacks (IND-CDA2) for nonce-based PKE. By presenting two counterexamples, we show a separation between our IND-CDA2 security for nonce-based PKE and the original NBP1/NBP2 security defined by Bellare and Tackmann (EUROCRYPT 2016). We show two nonce-based PKE constructions meeting IND-CDA2, NBP1 and NBP2 security simultaneously. The first one is a concrete construction in the random oracle model, and the second one is a generic construction based on a nonce-based PKE scheme and a deterministic PKE scheme

Non-Interactive Zero-Knowledge Functional Proofs

In this paper, we consider to generalize NIZK by empowering a prover to share a witness in a fine-grained manner with verifiers. Roughly, the prover is able to authorize a verifier to obtain extra information of witness, i.e., besides verifying the truth of the statement, the verifier can additionally obtain certain function of the witness from the accepting proof using a secret functional key provided by the prover. To fulfill these requirements, we introduce a new primitive called \emph{non-interactive zero-knowledge functional proofs (fNIZKs)}, and formalize its security notions. We provide a generic construction of fNIZK for any $\textsf{NP}$ relation $\mathcal{R}$, which enables the prover to share any function of the witness with a verifier. For a widely-used relation about set membership proof (implying range proof), we construct a concrete and efficient fNIZK, through new building blocks (set membership encryption and dual inner-product encryption), which might be of independent interest

Genetic Polymorphisms in CYP2E1: Association with Schizophrenia Susceptibility and Risperidone Response in the Chinese Han Population

CYP2E1 is a member of the cytochrome P450 superfamily, which is involved in the metabolism and activation of both endobiotics and xenobiotics. The genetic polymorphisms of CYP2E1 gene (Chromosome 10q26.3, Accession Number NC_000010.10) are reported to be related to the development of several mental diseases and to be involved in the clinical efficacy of some psychiatric medications. We investigated the possible association of CYP2E1 polymorphisms with susceptibility to schizophrenia in the Chinese Han Population as well as the relationship with response to risperidone in schizophrenia patients.In a case-control study, we identified 11 polymorphisms in the 5' flanking region of CYP2E1 in 228 schizophrenia patients and 384 healthy controls of Chinese Han origin. From among the cases, we chose 130 patients who had undergone 8 weeks of risperidone monotherapy to examine the relationship between their response to risperidone and CYP2E1 polymorphisms. Clinical efficacy was assessed using the Brief Psychiatric Rating Scale (BPRS).Statistically significant differences in allele or genotype frequencies were found between cases and controls at rs8192766 (genotype p = 0.0048, permutation p = 0.0483) and rs2070673 (allele: p = 0.0018, permutation p = 0.0199, OR = 1.4528 95%CI = 1.1487-1.8374; genotype: p = 0.0020, permutation p = 0.0225). In addition, a GTCAC haplotype containing 5 SNPs (rs3813867, rs2031920, rs2031921, rs3813870 and rs2031922) was observed to be significantly associated with schizophrenia (p = 7.47E-12, permutation p<0.0001). However, no association was found between CYP2E1 polymorphisms/haplotypes and risperidone response.Our results suggest that CYP2E1 may be a potential risk gene for schizophrenia in the Chinese Han population. However, polymorphisms of the CYP2E1 gene may not contribute significantly to individual differences in the therapeutic efficacy of risperidone. Further studies in larger groups are warranted to confirm our results

Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited

Fehr et al. (2010) proposed the first sender-equivocable encryption scheme secure against chosen-ciphertext attacks (NCCCA) and proved that NC-CCA security implies security against selective opening chosen-ciphertext attacks (SO-CCA). The NC-CCA security proof of the scheme relies on security against substitution attacks of a new primitive, the “crossauthentication code”. However, the security of the cross-authentication code cannot be guaranteed when all the keys used in the code are exposed. Our key observation is that, in the NC-CCA security game, the randomness used in the generation of the challenge ciphertext is exposed to the adversary. Based on this observation, we provide a security analysis of Fehr et al.’s scheme, showing that its NC-CCA security proof is flawed. We also point out that the scheme of Fehr et al. encrypting a single-bit plaintext can be refined to achieve NC-CCA security, free of the cross-authentication code. Furthermore, we propose the notion of “strong cross-authentication code”, apply it to Fehr et al.’s scheme, and show that the new version of the latter achieves NC-CCA security for multi-bit plaintexts