## CryptoDB

#### Publications

Year
Venue
Title
2021
PKC
Classically, selective-opening attack (SOA) has been studied for \emph{randomized} primitives, like randomized encryption schemes and commitments. The study of SOA for deterministic primitives, which presents some unique challenges, was initiated by Bellare \emph{et al.} (PKC 2015), who showed negative results. Subsequently, Hoang \emph{et al.} (ASIACRYPT 2016) showed positive results in the non-programmable random oracle model. Here we show the first positive results for SOA security of deterministic primitives in the \emph{standard} (RO devoid) model. Our results are: \begin{itemize} \item Any $2t$-wise independent hash function is SOA secure for an unbounded number of $t$-correlated'' messages, meaning any group of up to $t$ messages are arbitrarily correlated. \item A construction of a deterministic encryption scheme with analogous security, combining a regular lossy trapdoor function with a $2t$-wise independent hash function. \item The one-more-RSA problem of Bellare \emph{et al.} (J.~Cryptology 2003), which can be seen as a form of SOA, is hard under the $\Phi$-Hiding Assumption with large enough encryption exponent. \end{itemize} Somewhat surprisingly, the last result yields the first proof of RSA-based Chaum's blind signature scheme (CRYPTO 1982) based on a standard'' computational assumption. Notably, it avoids the impossibility result of Pass (STOC 2011) because lossiness of RSA endows the scheme with non-unique signatures.
2017
JOFC
2016
PKC
2016
PKC
2016
ASIACRYPT
2016
ASIACRYPT
2015
JOFC
2014
PKC
2013
CRYPTO
2013
EUROCRYPT
2012
TCC
2012
ASIACRYPT
2011
TCC
2011
CRYPTO
2011
CRYPTO
2010
CRYPTO
2010
EUROCRYPT
2009
EUROCRYPT
2008
EPRINT
We strengthen the foundations of deterministic public-key encryption via definitional equivalences and standard-model constructs based on general assumptions. Specifically we consider seven notions of privacy for deterministic encryption, including six forms of semantic security and an indistinguishability notion, and show them all equivalent. We then present a deterministic scheme for the secure encryption of uniformly and independently distributed messages based solely on the existence of trapdoor one-way permutations. We show a generalization of the construction that allows secure deterministic encryption of independent high-entropy messages. Finally we show relations between deterministic and standard (randomized) encryption.
2008
EPRINT
The study of deterministic public-key encryption was initiated by Bellare et al. (CRYPTO~'07), who provided the strongest possible" notion of security for this primitive (called PRIV) and constructions in the random oracle (RO) model. We focus on constructing efficient deterministic encryption schemes \emph{without} random oracles. To do so, we propose a slightly weaker notion of security, saying that no partial information about encrypted messages should be leaked as long as each message is a-priori hard-to-guess \emph{given the others} (while PRIV did not have the latter restriction). Nevertheless, we argue that this version seems adequate for certain practical applications. We show equivalence of this definition to single-message and indistinguishability-based ones, which are easier to work with. Then we give general constructions of both chosen-plaintext (CPA) and chosen-ciphertext-attack (CCA) secure deterministic encryption schemes, as well as efficient instantiations of them under standard number-theoretic assumptions. Our constructions build on the recently-introduced framework of Peikert and Waters (STOC '08) for constructing CCA-secure \emph{probabilistic} encryption schemes, extending it to the deterministic-encryption setting and yielding some improvements to their original results as well.
2008
CRYPTO
2008
CRYPTO
2007
CRYPTO
2007
EPRINT
We construct two new multiparty digital signature schemes that allow multiple signers to sequentially produce a compact, fixed-length signature. First, we introduce a new primitive that we call \emph{ordered multisignatures} (OMS), which allows signers to attest to a common message as well as the order in which they signed. Our OMS construction substantially improves computational efficiency and scalability over any existing scheme with suitable functionality. Second, we design a new identity-based sequential aggregate signature scheme, where signers can attest to different messages and signature verification does not require knowledge of traditional public keys. The latter property permits savings on bandwidth and storage as compared to public-key solutions. In contrast to the only prior scheme to provide this functionality, ours offers improved security that does not rely on synchronized clocks or a trusted first signer. We provide formal security definitions and support the proposed schemes with security proofs under appropriate computational assumptions. We focus on potential applications of our schemes to secure network routing, but we believe they will find many other applications as well.
2006
EPRINT
We present as-strong-as-possible definitions of privacy, and constructions achieving them, for public-key encryption schemes where the encryption algorithm is \textit{deterministic}. We obtain as a consequence database encryption methods that permit fast (i.e.~sub-linear, and in fact logarithmic, time) search while provably providing privacy that is as strong as possible subject to this fast search constraint. One of our constructs, called RSA-DOAEP, has the added feature of being length preserving, so that it is the first example of a public-key cipher. We generalize this to obtain a notion of efficiently-searchable encryption schemes which permit more flexible privacy to search-time trade-offs via a technique called bucketization. Our results answer much-asked questions in the database community and provide foundations for work done there.

Crypto 2020
PKC 2017
Eurocrypt 2016
PKC 2015
Eurocrypt 2014
PKC 2012