Tight Security Reduction Research Articles

Adaptively Secure KP-ABE For Circuits With Fan-In n And Fan-Out 1

Abstract The attribute-based encryption (ABE) scheme is suitable for access control of ciphertext in cloud computing. Kowalczyk and Wee proposed an adaptively secure attribute encryption scheme that supports $NC^1$ circuits. However, the circuit depth increases because this scheme supports only circuits with fan-in 2, which increases the key length and computational complexity of the key generation and decryption algorithms. To improve efficiency, we designed a secret sharing scheme for circuits with fan-in $n$, and we proposed a key-policy ABE scheme that supports circuits with fan-in $n$. We also designed pebbling rules for secret sharing in circuits with fan-in $n$, improving the compactness of the security reduction. Finally, we proved the adaptive security of the scheme by using a piecewise guessing framework and dual-system encryption. Compared with existing schemes, our scheme reduces the key size, improves the efficiency of the key generation algorithm and the decryption algorithm and provides tighter security reduction.

On the Security of the Dandelion Protocol

In this paper, we review the peer-to-peer blockchain transaction protocol, Dandelion, and develop an oracle-based model for its network and security. We formalize a series of security and functional criteria, such as unforgeability, non-repudiation, and immutability, into security experiments. In our model, we consider a quantum-capable adversary who seeks to undermine any of the security criteria while using oracles to simulate and interact with the Dandelion network. We then prove the security of Dandelion in our model with a series of (tight) security reductions as our main result. In addition, we prove that Dandelion is resistant to double-spending attacks.

Ultra Lightweight Multiple-Time Digital Signature for the Internet of Things Devices

Digital signatures are basic cryptographic tools to provide authentication and integrity in the emerging ubiquitous systems in which resource-constrained devices are expected to operate securely and efficiently. However, existing digital signatures might not be fully practical for such resource-constrained devices (e.g., medical implants) that have energy limitations. Some other computationally efficient alternatives (e.g., one-time/multiple-time signatures) may introduce high memory and/or communication overhead due to large private key and signature sizes. In this paper, our contributions are two-fold: First, we develop a new lightweight multiple-time digital signature scheme called Signer Efficient Multiple-time Elliptic Curve Signature ( <inline-formula><tex-math notation="LaTeX">$\mathtt {SEMECS}{}$</tex-math></inline-formula> ), which is suitable for resource-constrained embedded devices. <inline-formula><tex-math notation="LaTeX">$\mathtt {SEMECS}{}$</tex-math></inline-formula> achieves optimal signature and private key sizes for an EC-based signature <i>without</i> requiring any EC operation (e.g., EC scalar multiplication or addition) at the signer. We prove <inline-formula><tex-math notation="LaTeX">$\mathtt {SEMECS}{}$</tex-math></inline-formula> is secure (in random oracle model) with a tight security reduction. Second, we fully implemented <inline-formula><tex-math notation="LaTeX">$\mathtt {SEMECS}{}$</tex-math></inline-formula> on 8-bit AVR microprocessor with a comprehensive energy consumption analysis and comparison. Our experiments confirm up to 19× less battery-consumption for <inline-formula><tex-math notation="LaTeX">$\mathtt {SEMECS}{}$</tex-math></inline-formula> as compared to its fastest (full-time) counterpart, SchnorrQ, while offering significant performance advantages over its multiple-time counterparts in various fronts. We open-source our implementation for public testing and adoption.

Revisiting NIZK-Based Technique for Chosen-Ciphertext Security: Security Analysis and Corrected Proofs

Non-interactive zero-knowledge (NIZK) proofs for chosen-ciphertext security are generally considered to give an impractical construction. An interesting recent work by Seo, Abdalla, Lee, and Park (Information Sciences, July 2019) proposed an efficient semi-generic conversion method for achieving chosen-ciphertext security based on NIZK proofs in the random oracle model. The recent work by Seo et al. demonstrated that the semi-generic conversion method transforms a one-way (OW)-secure key encapsulation mechanism (KEM) into a chosen-ciphertext secure KEM while preserving tight security reduction. This paper shows that the security analysis of the semi-generic conversion method has a flaw, which comes from the OW security condition of the underlying KEM. Without changing the conversion method, this paper presents a revised security proof under the changed conditions that (1) the underlying KEM must be chosen-plaintext secure in terms of indistinguishability and (2) an NIZK proof derived from the underlying KEM via the Fiat–Shamir transform must have the properties of zero-knowledge and simulation soundness. This work extended the security proof strategy to the case of identity-based KEM (IBKEM) and also revise the security proof for IBKEM of previous method by Seo et al. Finally, this work gives a corrected security proof by applying the new proofs to several existing (IB)KEMs.

A Tightly Secure DDH-based Multisignature with Public-Key Aggregation

From the birth of the blockchain technology, multisignatures attract much attention as a tool for handling blockchain transactions. Concerning the application to the blockchain, multisignatures with public-key aggregation, which can compress public keys of signers to a single public key, is preferable to the standard multisignature because the public keys and the signature used in a transaction are stored to verify the transaction later. Several multisignature schemes with public key aggregation are proposed, however, there are no known schemes having a tight security reduction. We propose a first multisignature with public-key aggregation whose security is proven to be tightly secure under the DDH assumption in the random oracle model. Our multisignature is based on the DDH-based multisignature by Le, Yang, and Ghorbani, however, our security proof is different from theirs. The idea of our security proof originates from another DDH-based multisignature by Le, Bonnecaze, and Gabillon whose security proof is tightly one. By tailoring their security proof to a setting which admits the public-key aggregation, we can prove the tight security of our multisignature.

Improved RSA lossy trapdoor function and applications

Kakvi and Kiltz (EUROCRYPT'12) proposed the first tight security reduction for RSA full domain hash signature scheme (RSA-FDH) with public exponent e < N1/4 in the random oracle (RO) model, and they left an open problem which called for a tightly secure RSA-FDH for N1/4 < e < N. In this paper, we consider the improved RSA (iRSA) trapdoor functions, introduced by Cao (Science in China'01), are functions that the security can be strictly proved to be equivalent to the factoring. We show that iRSA-FDH has a tight security reduction for e < N. Technically we construct iRSA lossy trapdoor functions, and then we apply the lossiness of the iRSA trapdoor functions to obtain tight security reductions for iRSA-FDH in the RO model. Finally, we propose a tightly secure blind signature scheme based on our iRSA lossy trapdoor functions in the RO model.

Tightly‐secure two‐pass authenticated key exchange protocol using twin Diffie–Hellman problem

Tight security is an important requirement of practical cryptographic schemes. Compared with loosely-secure schemes, tightly-secure schemes allow shorter security parameters hence are more efficient. In CRYPTO 2018, Gjosteen and Jager proposed a tightly-secure authenticated key exchange (AKE) protocol. They used ‘commitment trick’ to construct a tight security reduction for their protocol. However, this technique leads to a three-pass execution in their protocol, and their protocol cannot achieve key confirmation unless it is modified to have a four-pass execution. In this study, the authors propose a tightly-secure two-pass AKE protocol. They use the twin Diffie–Hellman problem and the ‘re-patch’ trick of random oracles to construct a tight security reduction for their protocol. This technique allows their protocol to have a two-pass execution. Their protocol provides several security properties such as key-compromise-impersonation security, unknown-key-share security, and weak perfect forward secrecy. Moreover, a three-pass variant of their protocol provides key confirmation.

An Efficient One-Way Authenticated Key Exchange Protocol for Anonymity Networks

Authenticated key exchange (AKE) is a crucial cryptographic primitive used for establishing an authenticated and confidential communication channel between parties, which has been widely used in our daily life when we surf on the Internet. However, in past decades mutual AKE protocols have been studied extensively in theory, while in many practical environments such as in the Tor anonymity network the mutual authentication property is undesirable. Meanwhile, considering privacy protection is getting more and more attention and one-way AKE protocols play an important role in privacy protection, so no matter in theory or in practice, it is quite meaningful to conduct research on the one-way AKE protocols. In this article, we present a new efficient anonymous one-way AKE protocol, which has strong anonymity and security properties guarantee, and efficiency advantages. Moreover, our new scheme has tight security reduction and is formally proved secure in the random oracle model under the Gap-DH and XCR signature security assumptions.

An Identity Based-Identification Scheme With Tight Security Against Active and Concurrent Adversaries

Identification schemes are used by machines to securely authenticate the identity of other machines or their users over computer networks. As conventional public key schemes require a trusted third party (TTP) or a public file to ensure the corresponding public key matches with the identity, identity-based cryptosystems emerged as a form of certificate-free system. The entity's identity is the public key itself, therefore eliminating the need for a TTP. The identity-based identification (IBI) scheme introduced by Kurosawa and Heng using their transform in 2004 remains as the only IBI derived from the Boneh-Lynn-Shacham (BLS) short signature scheme which has the advantage of shorter keys. We show tight security reduction against active and concurrent attackers (imp-aa/ca) on our scheme that is obtained from the same transform. As the transform will only produce schemes that are only secure against passive attackers (imp-pa), security against imp-aa/ca scheme relies on a strong One-More interactive assumption and therefore resulted in weak security. While the OR-proof method allows schemes secure against imp-pa to be secure against imp-aa/ca, the resulting security against imp-aa/ca will suffer from loose bounds in addition to the user secret keys being doubled in size. Our work avoids both OR-proof and strong interactive assumptions by showing an ad-hoc proof for our construction which utilizes the weaker well-studied co-computational Diffie-Hellman assumption and yet still has tight security against imp-aa/ca. We demonstrate the tight security of our scheme which allows usage of even shorter key sizes.

Constant-size ring signature scheme using multilinear maps

Ring signature is a group-oriented digital signature with anonymity. Most of existing ring signature schemes use bilinear pairings, are provably secure in the random oracles, or are linear signature size to the number of ring member. In this paper, we use multilinear maps, which have been widely used to construct many novel cryptographic primitives recently, to present a ring signature scheme with constant signature size. The proposed scheme is proven to be anonymous against full key exposure and unforgeable against chosen-subring attacks based on the multilinear computational Diffie-Hellman assumption in the standard model. Furthermore, our scheme has the advantage of tighter security reduction by using an optimal security reduction technique.

Tightly Secure Public-Key Cryptographic Schemes from One-More Assumptions

A tightly secure cryptographic scheme refers to a construction with a tight security reduction to a hardness assumption, where the reduction loss is a small constant. A scheme with tight security is preferred in practice since it could be implemented using a smaller parameter to improve efficiency. Recently, Bader et al. (EUROCRYPT 2016) have proposed a comprehensive study on the impossible tight security reductions for certain (e.g., key-unique) public-key cryptographic schemes in the multi-user with adaptive corruptions (MU-C) setting built upon non-interactive assumptions. The assumptions of one-more version, such as one-more computational Diffie-Hellman (n-CDH), are variants of the standard assumptions and have found various applications. However, whether it is possible to have tightly secure key-unique schemes from the one-more assumptions or the impossible tight reduction results also hold for these assumptions remains unknown. In this paper, we give affirmative answers to the above question, i.e., we can have efficient key-unique public-key cryptographic schemes with tight security built upon the one-more assumptions. Specifically, we propose a digital signature scheme and an encryption scheme, both of which are key-unique and have tight MU-C security under the one-more computational Diffie-Hellman (n-CDH) assumption. Our results also reflect from another aspect that there indeed exists a gap between the standard assumptions and their one-more version counterparts.

New technique for chosen-ciphertext security based on non-interactive zero-knowledge

In this study, we propose a new method for conversion from a one-way (OW)-secure key encapsulation mechanism (KEM) into a chosen-ciphertext (CCA) secure KEM in the random oracle model. Our conversion method is based on the non-interactive zero-knowledge (NIZK) proof system for proving the relationships (e.g., equality or linearity) of discrete logarithms, where the security analysis of our conversion method depends on the NIZK properties of soundness and zero-knowledge. Our conversion method achieves tight security reduction and it is semi-generic in the sense that other than OW-security, a KEM should be NIZK-compatible. From a theoretical viewpoint, our conversion method can be considered as the corresponding approach for obtaining an efficient signature by applying the Fiat–Shamir transform to the NIZK system. We applied our conversion method to several OW-secure (identity-based) KEMs and compared the results with those obtained by previous methods for achieving CCA security.

On Tight Security Proofs for Schnorr Signatures

The Schnorr signature scheme is the most efficient signature scheme based on the discrete logarithm problem and a long line of research investigates the existence of a tight security reduction for this scheme in the random oracle model. Almost all recent works present lower tightness bounds and most recently Seurin EUROCRYPT 2012 showed that under certain assumptions the non-tight security proof for Schnorr signatures in the random oracle by Pointcheval and Stern EUROCRYPT’96 is essentially optimal. All previous works in this direction rule out tight reductions from the (one-more) discrete logarithm problem. In this paper, we introduce a new meta-reduction technique, which shows lower bounds for the large and very natural class of generic reductions. A generic reduction is independent of a particular representation of group elements. Most reductions in state-of-the-art security proofs have this property. It is desirable, because then the reduction applies generically to any concrete instantiation of the group. Our approach shows unconditionally that there is no tight generic reduction from any natural non-interactive computational problem $$\Pi $$ defined over algebraic groups to breaking Schnorr signatures, unless solving $$\Pi $$ is easy. In an additional application of the new meta-reduction technique, we also unconditionally rule out any (even non-tight) generic reduction from natural non-interactive computational problems defined over algebraic groups to breaking Schnorr signatures in the non-programmable random oracle model.

Security of BLS and BGLS signatures in a multi-user setting

Traditional single-user security models do not necessarily capture the power of real-world attackers. A scheme that is secure in the single-user setting may not be as secure in the multi-user setting. Inspired by the recent analysis of Schnorr signatures in the multi-user setting, we analyse Boneh-Lynn-Shacham (BLS) signatures and Boneh-Gentry-Lynn-Shacham (BGLS) aggregate signatures in the multi-user setting. We obtain a tight reduction from the security of key-prefixed BLS in the multi-user model to normal BLS in the single-user model. We introduce a multi-user security model for general aggregate signature schemes, in contrast to the original “chosen-key” security model of BGLS that is analogous to the single-user setting of a signature scheme. We obtain a tight reduction from the security of multi-user key-prefixed BGLS to the security of multi-user key-prefixed BLS. Finally, we apply a technique of Katz and Wang to present a tight security reduction from a variant of multi-user key-prefixed BGLS to the computational co-Diffie-Hellman (co-CDH) problem. All of our results for BLS and BGLS use type III pairings.

Optimal Security Proofs for Full Domain Hash, Revisited

RSA Full Domain Hash (RSA-FDH) is a digital signature scheme, secure against chosen message attacks in the random oracle model. The best known security reduction from the RSA assumption is non-tight, i.e., it loses a factor of $$q_s$$ , where $$q_s$$ is the number of signature queries made by the adversary. It was furthermore proven by Coron (Advances in cryptology—EUROCRYPT 2002, Lecture notes in computer science, vol 2332. Springer, Berlin, pp 272–287, 2002) that a security loss of $$q_s$$ is optimal and cannot possibly be improved. In this work, we uncover a subtle flaw in Coron’s impossibility result. Concretely, we show that it only holds if the underlying trapdoor permutation is certified. Since it is well known that the RSA trapdoor permutation is (for all practical parameters) not certified, this renders Coron’s impossibility result moot for RSA-FDH. Motivated by this, we revisit the question whether there is a tight security proof for RSA-FDH. Concretely, we give a new tight security reduction from a stronger assumption, the Phi-Hiding assumption introduced by Cachin et al. (Advances in Cryptology—EUROCRYPT’99. Lecture notes in computer science, vol 1592. Springer, Berlin, pp 402–414, 1999). This justifies the choice of smaller parameters in RSA-FDH, as it is commonly used in practice. All of our results (positive and negative) extend to the probabilistic signature scheme PSS (with message recovery).

Tightly CCA-secure identity-based encryption with ciphertext pseudorandomness

Affine message authentication code (MAC) and delegatable affine MAC turn out to be useful tools for constructing identity-based encryption (IBE) and hierarchical IBE (HIBE), as shown in Blazy, Kiltz and Pan’s (BKP) creative work in CRYPTO (2014). An important result obtained by BKP is IBE of tight PR-ID-CPA security, i.e., tight IND-ID-CPA security together with ciphertext pseudorandomness (PR). However, the problem of designing tightly PR-ID-CCA2 secure IBE remains open. We note that the CHK transformation does not preserve ciphertext pseudorandomness when converting IND-ID-CPA secure 2-level HIBE to IND-ID-CCA2 secure IBE. In this paper, we solve this problem with a new approach. We introduce a new concept called De-randomized delegatable affine MAC and define for it weak APR-CMA security. We construct such a MAC with a tight security reduction to the Matrix DDH assumption, which includes the k-Linear and DDH assumptions. We present a paradigm for constructing PR-ID-CCA2 secure IBE, which enjoys both ciphertext pseudorandomness and IND-ID-CCA2 security, from De-randomized delegatable affine MAC and Chameleon hashing. The security reduction is tightness preserving. It provides another approach to IND-ID-CCA2 security besides the CHK transformation. By instantiating the paradigm with our specific De-randomized delegatable affine MAC, we obtain the first IBE of tight PR-ID-CCA2 security from the Matrix DDH assumption over pairing groups of prime order. Our IBE also serves as the first tightly IND-ID-CCA2 secure IBE with anonymous recipient (ANON-ID-CCA2) from the Matrix DDH assumption. Our IBE further implies the first tightly IND-ID-CCA2 secure extractable IBE based on the Matrix DDH assumption. The latter can be used to get IBE of simulation-based selective opening CCA2 (SIM-SO-CCA2) security (due to Lai et al. in EUROCRYPT, 2014). The tight security of our IBE leads to a tighter reduction of the SIM-SO-CCA2 security.

New Security Proof for the Boneh-Boyen IBE: Tight Reduction in Unbounded Multi-Challenge Security

Identity-based encryption IBE is an advanced form of public key encryption and one of the most important cryptographic primitives. Of the many constructions of IBE schemes, the one proposed by Boneh and Boyen in Eurocrypt 2004 is quite important from both practical and theoretical points of view. The scheme was standardized as IEEE P1363.3 and is the basis for many subsequent constructions. In this paper, we investigate its multi-challenge security, which means that an adversary is allowed to query challenge ciphertexts multiple times rather than only once. Since single-challenge security implies multi-challenge security, and since Boneh and Boyen provided a security proof for the scheme in the single-challenge setting, the scheme is also secure in the multi-challenge setting. However, this reduction results in a large security loss. Instead, we give tight security reduction for the scheme in the multi-challenge setting. Our reduction is tight even if the number of challenge queries is not fixed in advance that is, the queries are unbounded. Unfortunately, we are only able to prove the security in a selective setting and rely on a non-standard parameterized assumption. Nevertheless, we believe that our new security proof is of interest and provides new insight into the security of the Boneh-Boyen IBE scheme.

Efficient key encapsulation mechanisms with tight security reductions to standard assumptions in the two security models

AbstractIn this paper, we propose two new practical constructions of chosen ciphertext attack secure (CCA secure) key encapsulation mechanisms (KEM, which is the main building block for public key encryption in hybrid encryption), with remarkable security features: Our KEMs can be proved not only to satisfy CCA security (or constrained CCA security introduced by Hofheinz and Kiltz at CRYPTO'07) in the standard model with a tight security reduction to a basic indistinguishability‐type assumption but also to be CCA secure in the random oracle model with a tight security reduction to a basic computational‐type assumption. Our first construction is based on the Diffie–Hellman‐type assumptions, and compared with the KEM by Shoup at EUROCRYPT'00 that has security reductions in two security models (but its security proof in the random model is a loose reduction), our proposed KEM has a smaller ciphertext size with the same computational costs, and more importantly, ours has a tight security reduction also in the random oracle model. Our second construction is based on assumptions related to integer factoring, and compared with the KEM by Hofheinz and Kiltz at CRYPTO'99 that also has tight security reductions in two security models to factoring‐related assumptions, our proposed KEM has similar efficiency (both ciphertext size and computational costs) and bases the security on incomparable assumptions. Copyright © 2016 John Wiley &amp; Sons, Ltd.

Efficient Attribute-Based Encryption Schemes for Secure Communications in Cyber Defense

AbstractHow to securely transmit data over the cyber is an important problem in cyber defense. In this paper, we propose a ciphertext-policy attribute-based encryption (CP-ABE) scheme, in which the messages are encrypted together with access policy, while secret keys are associated with specified sets of attributes, and the secret keys can correctly decrypt the ciphertexts only when the attributes satisfy the associated access policy. Our proposed CP-ABE scheme is provably secure in the full model without random oracles, and has a tight security reduction. We stress that a tight security reduction implies a higher security or the requirement of smaller keys and ciphertext sizes to obtain the same security level, and thus make the scheme more efficient. Thus our scheme can be efficiently used to encrypt the transmitted data over cyber in a fine-grained manner.

Efficient ID-based public auditing for the outsourced data in cloud storage

Cloud storage can make data users store and access their files anytime, from anywhere and with any device. To ensure the security of the outsourced data, data user needs to periodically check data integrity. The existing public auditing schemes are mainly based on the PKI (public key infrastructure). In this infrastructure, the auditor must validate the certificates of data user before auditing data integrity. Thus, it results in a large amount of computation cost. Especially, it brings heavy burden to the auditor in the multi-user setting. To overcome this problem, in this paper, we propose an efficient ID-based auditing protocol for cloud data integrity based on ID-Based Cryptography, which is provably secure in the random oracle model and has tight security reduction. And we also extend it to support batch auditing in the multi-user setting. Finally, extensive security and simulation results show that our ID-based auditing protocols are secure and efficient, especially it reduces the computation cost of the auditor in the multi-user setting. In comparison with Wang et al.’s ID-based remote data possession checking protocol, our protocol is more suitable to the large-scale cloud storage system.