Showing papers by "Keita Emura published in 2012"

Group signatures with message-dependent opening

Abstract: This paper introduces a new capability of the group signature, called message-dependent opening. It is intended to weaken the higher trust put on an opener, that is, no anonymity against an opener is provided by ordinary group signature. In a group signature system with message-dependent opening (GS-MDO), in addition to the opener, we set up the admitter which is not able to open any user's identity but admits the opener to open signatures by specifying messages whose signatures should be opened. For any signature whose corresponding message is not specified by the admitter, the opener cannot extract the signer's identity from it. In this paper, we present formal definitions and constructions of GS-MDO. Furthermore, we also show that GS-MDO implies identity-based encryption, and thus for designing a GS-MDO scheme, identity-based encryption is crucial. Actually, we propose a generic construction of GS-MDO from identity-based encryption and adaptive NIZK proofs, and its specific instantiation from the Groth-Sahai proof system by constructing a new (k-resilient) identity-based encryption scheme which is compatible to the Groth-Sahai proof.

Dynamic attribute-based signcryption without random oracles

Abstract: In SCN2010, Gagne, Narayan, and Safavi-Naini proposed attribute-based signcryption (ABSC) with threshold structure. As in ciphertext-policy attribute-based encryption (CP-ABE), an encryptor can specify the access structure of decryptors, and as in attribute-based signature (ABS), each decryptor can verify the encryptor's attributes. In contrast to the access structure of decryptors, the access structure of the encryptor needs to be fixed in the setup phase. In this paper, we propose ABSC with dynamic property, where access structures of encryptor can be updated flexibly without re-issuing secret keys of users. We call this primitive dynamic attribute-based signcryption (DABSC). Our DABSC scheme is secure in the standard model under the decision bilinear Diffie-Hellman assumption and the computational Diffie-Hellman assumption.

On the security of dynamic group signatures: preventing signature hijacking

Abstract: We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the currently most efficient dynamic group signature scheme does not provide protection against this type of malicious behavior. To address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth (ASIACRYPT 2007, full version) which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions. We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

On the Security of Dynamic Group Signatures: Preventing Signature Hijacking.

Abstract: We identify a potential weakness in the standard security model for dynamic group signatures which appears to have been overlooked previously. More specifically, we highlight that even if a scheme provably meets the security requirements of the model, a malicious group member can potentially claim ownership of a group signature produced by an honest group member by forging a proof of ownership. This property leads to a number of vulnerabilities in scenarios in which dynamic group signatures are likely to be used. We furthermore show that the dynamic group signature scheme by Groth (ASIACRYPT 2007) does not provide protection against this type of malicious behavior. To address this, we introduce the notion of opening soundness for group signatures which essentially requires that it is infeasible to produce a proof of ownership of a valid group signature for any user except the original signer. We then show a relatively simple modification of the scheme by Groth which allows us to prove opening soundness for the modified scheme without introducing any additional assumptions. We believe that opening soundness is an important and natural security requirement for group signatures, and hope that future schemes will adopt this type of security.

Time-Specific encryption from forward-secure encryption

Abstract: Paterson and Quaglia (SCN 2010) proposed the concept of time-specific encryption (TSE) and its efficient constructions. TSE is a type of public key encryption with additional functionality where an encryptor can specify a suitable time interval, meaning that the ciphertexts may only be decrypted within this time interval. In this work, we propose a new methodology for designing efficient TSE scheme by using forward-secure encryption (FSE), and based on this methodology, we present a specific TSE scheme using Boneh-Boyen-Goh FSE, and a generic construction from any FSE. Our proposed TSE schemes are practical in all aspects with regard to computational costs and data sizes. The sizes of the ciphertext and the public parameter in our schemes are significantly smaller than those in previous schemes in an asymptotic sense.

An Intrusion and Random-Number-Leakage Resilient Scheme in Mobile Unattended WSNs

Abstract: In INFOCOM 2010, Pietro, Oligeri, Soriente, and Tsudik (POST) proposed an intrusion-resilient system with forward and backward secrecy in mobile Unattended Wireless Sensor Networks (UWSNs), where sensors move according to some mobility model (random jump model and random waypoint model). In the POST scheme, each sensor encrypts its ephemeral key $K$ as a plaintext by using the sink's public key, and sends this cipher text and the encrypted sensed data by $K$. Although the POST scheme recommends the hybrid encryption, it does not follow the conventional hybrid encryption usage, i.e., the POST scheme is not necessarily secure. More concretely, $K$ must be regarded as a plaintext of the underlying public key system, and therefore the POST scheme requires at least one more encryption procedure (i.e, encryptions for both $K$ and the data) compared with the conventional hybrid encryption procedure. In this paper, we scrutinize the original POST intrusion-resilient system. We set deployed information as a seed used for generating a random number (which is applied for public key encryption). This procedure follows the conventional hybrid encryption usage, and random-number-leakage problem does not occur. In conclusion, we improve the POST scheme from the viewpoint of both security and efficiency without spoiling significant benefit points of the original one.

A Revocable Group Signature Scheme with the Property of Hiding the Number of Revoked Users

Abstract: If there are many displaced workers in a company, then a person who goes for job hunting might not select this company. That is, the number of members who quit is quite negative information. Similarly, in revocable group signature schemes, if one knows (or guesses) the number of revoked users (say r), then one may guess the reason behind such circumstances, and it may lead to harmful rumors. However, no previous revocation procedure can achieve to hide r. In this paper, we propose the first revocable group signature scheme, where r is kept hidden. To handle these properties, we newly define the security notion called anonymity w.r.t. the revocation which guarantees the unlinkability of revoked users.

Flexible Group Key Exchange with On-demand Computation of Subgroup Keys Supporting Subgroup Key Randomization

Abstract: In AFRICACRYPT2010, Abdalla, Chevalier, Manulis, and Pointcheval proposed an improvement of group key exchange (GKE), denoted by GKE+S, which enables on-demand derivation of independent secret subgroup key for all potential subsets. On-demand derivation is efficient (actually, it requires only one round) compared with GKE for subgroup (which requires two or more rounds, usually) by re-using values which was used for the initial GKE session for superior group. In this paper, we improve the Abdalla et al. GKE+S protocol to support key randomization. In our GKE+S protocol, the subgroup key derivation algorithm is probabilistic, whereas it is deterministic in the original Abdalla et al. GKE+S protocol. All subgroup member can compute the new subgroup key (e.g., for countermeasure of subgroup key leakage) with just one-round additional complexity. Our subgroup key establishment methodology is inspired by the “essential idea” of the NAXOS technique. Our GKE+S protocol is authenticated key exchange (AKE) secure under the Gap Diffie-Hellman assumption in the random oracle model.