There is, I think, something ethereal about i —the square root of minus one. I remember first hearing about it at school. It seemed an odd beast at that time—an intruder hovering on the edge of reality.

Usually familiarity dulls this sense of the bizarre, but in the case of i it was the reverse: over the years the sense of its surreal nature intensified. It seemed that it was impossible to write mathematics that described the real world in …

I and i

We propose a fully functional identity-based encryption (IBE) scheme. The scheme has chosen ciphertext security in the random oracle model assuming a variant of the computational Diffie--Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure IBE schemes and give several applications for such systems.

/pdf/identity-based-encryption-from-the-weil-pairing-1x4254f2zc.pdf

Identity-Based Encryption from the Weil Pairing

In several distributed systems a user should only be able to access data if a user posses a certain set of credentials or attributes. Currently, the only method for enforcing such policies is to employ a trusted server to store the data and mediate access control. However, if any server storing the data is compromised, then the confidentiality of the data will be compromised. In this paper we present a system for realizing complex access control on encrypted data that we call ciphertext-policy attribute-based encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover, our methods are secure against collusion attacks. Previous attribute-based encryption systems used attributes to describe the encrypted data and built policies into user's keys; while in our system attributes are used to describe a user's credentials, and a party encrypting data determines a policy for who can decrypt. Thus, our methods are conceptually closer to traditional access control methods such as role-based access control (RBAC). In addition, we provide an implementation of our system and give performance measurements.

/pdf/ciphertext-policy-attribute-based-encryption-q09jxdyx4n.pdf

Ciphertext-Policy Attribute-Based Encryption

As more sensitive data is shared and stored by third-party sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarse-grained level (i.e., giving another party your private key). We develop a new cryptosystem for fine-grained sharing of encrypted data that we call Key-Policy Attribute-Based Encryption (KP-ABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of audit-log information and broadcast encryption. Our construction supports delegation of private keys which subsumesHierarchical Identity-Based Encryption (HIBE).

/pdf/attribute-based-encryption-for-fine-grained-access-control-3fjqefx4um.pdf

Attribute-based encryption for fine-grained access control of encrypted data

We introduce a short signature scheme based on the Computational Diffie-Hellman assumption on certain elliptic and hyperelliptic curves. The signature length is half the size of a DSA signature for a similar level of security. Our short signature scheme is designed for systems where signatures are typed in by a human or signatures are sent over a low-bandwidth channel.

/pdf/short-signatures-from-the-weil-pairing-5ajupg0cpi.pdf

Short Signatures from the Weil Pairing

We examine all of the signature submissions to Round-2 of the NIST PQC “competition” in the context of whether one can transform them into threshold signature schemes in a relatively straight forward manner. We conclude that all schemes, except the ones in the MQ family, have significant issues when one wishes to convert them using relatively generic MPC techniques. The lattice based schemes are hampered by requiring a mix of operations which are suited to both linear secret shared schemes (LSSS)-based and garbled circuits (GC)-based MPC techniques (thus requiring costly transfers between the two paradigms). The Picnic and SPHINCS+ algorithms are hampered by the need to compute a large number of hash function queries on secret data. Of the nine submissions the two which would appear to be most suitable for using in a threshold like manner are Rainbow and LUOV, with LUOV requiring less rounds and less data storage.

/pdf/sharing-the-luov-threshold-post-quantum-signatures-3m2y7huxab.pdf

Sharing the LUOV: Threshold Post-Quantum Signatures.

The UMTS/LTE protocol for mobile phone networks has been designed to offer a limited form of anonymity for mobile phone users. In this paper, we quantify precisely what this limited form of anonymity actually provides via a formal security model. The model considers an execution where the home and roaming network providers are considered as one entity. We consider two forms of anonymity, one where the mobile stations under attack are statically selected before the execution, and a second where the adversary selects these stations adaptively. We prove that the UMTS/LTE protocol meets both of these security definitions. Our analysis requires new assumptions on the underlying keyed functions for UMTS, namely that a set of pseudorandom functions are "agile". This assumption, while probably true, has not previously been brought to the fore.

/pdf/anonymity-guarantees-of-the-umts-lte-authentication-and-3opexq1h7h.pdf

Anonymity guarantees of the UMTS/LTE authentication and connection protocol

Although they do not suffer from clear attacks, various key agreement protocols (for example that used within the TLS protocol) are deemed as insecure by existing security models for key exchange. The reason is that the derived keys are used within the key exchange step, violating the usual key indistinguishability requirement. In this paper we propose a new security definition for key exchange protocols that offers two important benefits. Our notion is weaker than the more established ones, and thus allows the analysis of a larger class of protocols. Furthermore, security in the sense that we define enjoys rather general composability properties. In addition, our composability properties are derived within game based formalisms, and do not appeal to any simulation based paradigm. Specifically, we show that for protocols, whose security relies exclusively on some underlying symmetric primitive, can be securely composed with key exchange protocols provided that two main requirements hold: 1) no adversary can break the underlying primitive, even when the primitive uses keys obtained from executions of the key exchange protocol in the presence of the adversary (this is essentially the security requirement that we introduce and formalize in this paper), and 2) the security of the protocol can be reduced to that of the primitive, no matter how the keys for the primitive are distributed. Proving that the two conditions are satisfied, and then applying our generic theorem, should be simpler than performing a monolithic analysis of the composed protocol. We exemplify our results in the case of a profile of the TLS

/pdf/less-is-more-relaxed-yet-composable-security-notions-for-key-5b2s0gnjz7.pdf

Less is More: Relaxed yet Composable Security Notions for Key Exchange.

Recently, Cramer et al. (CRYPTO 2018) presented a protocol, \(\mathsf {SPDZ2k}\), for actively secure multiparty computation for dishonest majority in the pre-processing model over the ring \(\mathbb {Z}_{2^k}\), instead of over a prime field \(\mathbb {F}_p\). Their technique used oblivious transfer for the pre-processing phase, more specifically the MASCOT protocol (Keller et al. CCS 2016). In this paper we describe a more efficient technique for secure multiparty computation over \(\mathbb {Z}_{2^k}\) based on somewhat homomorphic encryption. In particular we adapt the Overdrive approach (Keller et al. EUROCRYPT 2018) to obtain a protocol which is more like the original SPDZ protocol (Damgard et al. CRYPTO 2012). To accomplish this we introduce a special packing technique for the BGV encryption scheme operating on the plaintext space defined by the \(\mathsf {SPDZ2k}\) protocol, extending the ciphertext packing method used in SPDZ to the case of \(\mathbb {Z}_{2^k}\). We also present a more complete pre-processing phase for secure computation modulo \(2^k\) by adding a new technique to produce shared random bits.

Overdrive2k: Efficient Secure MPC over \(\mathbb {Z}_{2^k}\) from Somewhat Homomorphic Encryption

We present the first actively secure variant of a distributed signature scheme based on isogenies. The protocol produces signatures from the recent CSI-FiSh signature scheme. Our scheme works for any access structure, as we use a replicated secret sharing scheme to define the underlying secret sharing; as such it is only practical when the number of maximally unqualified sets is relatively small. This, however, includes the important case of full threshold, and (n, t)-threshold schemes when n is small.

Nigel P. Smart

Papers

Sharing the LUOV: Threshold Post-Quantum Signatures.

Anonymity guarantees of the UMTS/LTE authentication and connection protocol

Less is More: Relaxed yet Composable Security Notions for Key Exchange.

Overdrive2k: Efficient Secure MPC over \(\mathbb {Z}_{2^k}\) from Somewhat Homomorphic Encryption

Sashimi: Cutting up CSI-FiSh Secret Keys to Produce an Actively Secure Distributed Signing Protocol