Yi Mu

Bio: Yi Mu is an academic researcher from Fujian Normal University. The author has contributed to research in topics: Encryption & Public-key cryptography. The author has an hindex of 49, co-authored 584 publications receiving 9999 citations. Previous affiliations of Yi Mu include Tianjin University & University of Wollongong.

On the security of certificateless signature schemes from asiacrypt 2003

Abstract: In traditional digital signature schemes, certificates signed by a trusted party are required to ensure the authenticity of the public key. In Asiacrypt 2003, the concept of certificateless signature scheme was introduced. In the new paradigm, the necessity of certificates has been successfully removed. The security model for certificateless cryptography was also introduced in the same paper. However, as we shall show in this paper, the proposed certificateless signature is insecure in their defined model. We provide an attack that can successfully forge a certificateless signature in their model. We also fix this problem by proposing a new scheme.

Certificateless signature revisited

Abstract: In this paper we revisit the security models of certificateless signatures and propose two new constructions which are provably secure in the random oracle model. We divide the potential adversaries according to their attack power, and for the first time, three new kinds of adversaries are introduced into certificateless signatures. They are Normal Adversary, Strong Adversary and Super Adversary (ordered by their attack power). Combined with the known Type I Adversary and Type II Adversary in certificateless system, we then define the security of certificateless signatures in different attack scenarios. Our new models, together with the others in the literature, will enable us to better understand the security of certificateless signatures. Two concrete schemes with different security levels are also proposed in this paper. The first scheme, which is proved secure against Normal Type I and Super Type II Adversary, enjoys the shortest signature length among all the known certificateless signature schemes. The second scheme is secure against Super Type I and Type II adversary. Compared with the scheme in ACNS 2006 which has a similar security level, our second scheme requires lower operation cost but a little longer signature length.

Malicious KGC attacks in certificateless cryptography

Abstract: Identity-based cryptosystems have an inherent key escrow issue, that is, the Key Generation Center (KGC) always knows user secret key. If the KGC is malicious, it can always impersonate the user. Certificateless cryptography, introduced by Al-Riyami and Paterson in 2003, is intended to solve this problem. However, in all the previously proposed certificateless schemes, it is always assumed that the malicious KGC starts launching attacks (so-called Type II attacks) only after it has generated a master public/secret key pair honestly. In this paper, we propose new security models that remove this assumption for both certificateless signature and encryption schemes. Under the new models, we show that a class of certificateless encryption and signature schemes proposed previously are insecure. These schemes still suffer from the key escrow problem. On the other side, we also give new proofs to show that there are two generic constructions, one for certificateless signature and the other for certificateless encryption, proposed recently that are secure under our new models.

Constant-size dynamic k -TAA

Abstract: k-times anonymous authentication (k-TAA) schemes allow members of a group to be authenticated anonymously by application providers for a bounded number of times. Dynamic k-TAA allows application providers to independently grant or revoke users from their own access group so as to provide better control over their clients. In terms of time and space complexity, existing dynamic k-TAA schemes are of complexities O(k), where k is the allowed number of authentication. In this paper, we construct a dynamic k-TAA scheme with space and time complexities of O(log(k)). We also outline how to construct dynamic k-TAA scheme with a constant proving effort. Public key size of this variant, however, is O(k). We then construct an ordinary k-TAA scheme from the dynamic scheme. We also describe a trade-off between efficiency and setup freeness of AP, in which AP does not need to hold any secret while maintaining control over their clients. To build our system, we modify the short group signature scheme into a signature scheme and provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature and to obtain a signature on a committed block of messages. We prove that the signature scheme is secure in the standard model under the q-SDH assumption. Finally, we show that our dynamic k-TAA scheme, constructed from bilinear pairing, is secure in the random oracle model.

Asymmetric Group Key Agreement

Abstract: A group key agreement (GKA) protocol allows a set of users to establish a common secret via open networks. Observing that a major goal of GKAs for most applications is to establish a confidential channel among group members, we revisit the group key agreement definition and distinguish the conventional (symmetric ) group key agreement from asymmetric group key agreement (ASGKA) protocols. Instead of a common secret key, only a shared encryption key is negotiated in an ASGKA protocol. This encryption key is accessible to attackers and corresponds to different decryption keys, each of which is only computable by one group member. We propose a generic construction of one-round ASGKAs based on a new primitive referred to as aggregatable signature-based broadcast (ASBB), in which the public key can be simultaneously used to verify signatures and encrypt messages while any signature can be used to decrypt ciphertexts under this public key. Using bilinear pairings, we realize an efficient ASBB scheme equipped with useful properties. Following the generic construction, we instantiate a one-round ASGKA protocol tightly reduced to the decision Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model.

Quantum Information with Continuous Variables

Abstract: Preface. About the Editors. Part I: Quantum Computing. 1. Quantum computing with qubits S.L. Braunstein, A.K. Pati. 2. Quantum computation over continuous variables S. Lloyd, S.L. Braunstein. 3. Error correction for continuous quantum variables S.L. Braunstein. 4. Deutsch-Jozsa algorithm for continuous variables A.K. Pati, S.L. Braunstein. 5. Hybrid quantum computing S. Lloyd. 6. Efficient classical simulation of continuous variable quantum information processes S.D. Bartlett, B.C. Sanders, S.L. Braunstein, K. Nemoto. Part II: Quantum Entanglement. 7. Introduction to entanglement-based protocols S.L. Braunstein, A.K. Pati. 8. Teleportation of continuous uantum variables S.L. Braunstein, H.J. Kimble. 9. Experimental realization of continuous variable teleportation A. Furusawa, H.J. Kimble. 10. Dense coding for continuous variables S.L. Braunstein, H.J. Kimble. 11. Multipartite Greenberger-Horne-Zeilinger paradoxes for continuous variables S. Massar, S. Pironio. 12. Multipartite entanglement for continuous variables P. van Loock, S.L. Braunstein. 13. Inseparability criterion for continuous variable systems Lu-Ming Duan, G. Giedke, J.I. Cirac, P. Zoller. 14. Separability criterion for Gaussian states R. Simon. 15. Distillability and entanglement purification for Gaussian states G. Giedke, Lu-Ming Duan, J.I. Cirac, P. Zoller. 16. Entanglement purification via entanglement swapping S. Parke, S. Bose, M.B. Plenio. 17. Bound entanglement for continuous variables is a rare phenomenon P. Horodecki, J.I. Cirac, M. Lewenstein. Part III: Continuous Variable Optical-Atomic Interfacing. 18. Atomic continuous variable processing and light-atoms quantum interface A. Kuzmich, E.S. Polzik. Part IV: Limits on Quantum Information and Cryptography. 19. Limitations on discrete quantum information and cryptography S.L. Braunstein, A.K. Pati. 20. Quantum cloning with continuous variables N.J. Cerf. 21. Quantum key distribution with continuous variables in optics T.C. Ralph. 22. Secure quantum key distribution using squeezed states D. Gottesman, J. Preskill. 23. Experimental demonstration of dense coding and quantum cryptography with continuous variables Kunchi Peng, Qing Pan, Jing Zhang, Changde Xie. 24. Quantum solitons in optical fibres: basic requisites for experimental quantum communication G. Leuchs, Ch. Silberhorn, E. Konig, P.K. Lam, A. Sizmann, N. Korolkova. Index.

[서평]「Applied Cryptography」

Abstract: The objective of this paper is to give a comprehensive introduction to applied cryptography with an engineer or computer scientist in mind. The emphasis is on the knowledge needed to create practical systems which supports integrity, confidentiality, or authenticity. Topics covered includes an introduction to the concepts in cryptography, attacks against cryptographic systems, key use and handling, random bit generation, encryption modes, and message authentication codes. Recommendations on algorithms and further reading is given in the end of the paper. This paper should make the reader able to build, understand and evaluate system descriptions and designs based on the cryptographic components described in the paper.

The knowledge complexity of interactive proof-systems

Abstract: Usually, a proof of a theorem contains more knowledge than the mere fact that the theorem is true. For instance, to prove that a graph is Hamiltonian it suffices to exhibit a Hamiltonian tour in it; however, this seems to contain more knowledge than the single bit Hamiltonian/non-Hamiltonian.In this paper a computational complexity theory of the “knowledge” contained in a proof is developed. Zero-knowledge proofs are defined as those proofs that convey no additional knowledge other than the correctness of the proposition in question. Examples of zero-knowledge proof systems are given for the languages of quadratic residuosity and 'quadratic nonresiduosity. These are the first examples of zero-knowledge proofs for languages not known to be efficiently recognizable.

PORs: Proofs of Retrievability for Large Files

Abstract: In this paper, we define and explore proofs of retrievability (PORs). A POR scheme enables an archive or back-up service (prover) to produce a concise proof that a user (verifier) can retrieve a target file F, that is, that the archive retains and reliably transmits file data sufficient for the user to recover F in its entirety.A POR may be viewed as a kind of cryptographic proof of knowledge (POK), but one specially designed to handle a large file (or bitstring) F. We explore POR protocols here in which the communication costs, number of memory accesses for the prover, and storage requirements of the user (verifier) are small parameters essentially independent of the length of F. In addition to proposing new, practical POR constructions, we explore implementation considerations and optimizations that bear on previously explored, related schemes.In a POR, unlike a POK, neither the prover nor the verifier need actually have knowledge of F. PORs give rise to a new and unusual security definition whose formulation is another contribution of our work.We view PORs as an important tool for semi-trusted online archives. Existing cryptographic techniques help users ensure the privacy and integrity of files they retrieve. It is also natural, however, for users to want to verify that archives do not delete or modify files prior to retrieval. The goal of a POR is to accomplish these checks without users having to download the files themselves. A POR can also provide quality-of-service guarantees, i.e., show that a file is retrievable within a certain time bound.