Identity-Based Encryption Secure under Selective Opening Attack
We present the first Identity-Based Encryption (IBE) scheme that is proven secure against selective opening attack (SOA). This means that if an adversary, given a vector of ciphertexts, adaptively corrupts some fraction of the senders, exposing not only their messages but also their coins, the privacy of the unopened messages is guaranteed. Achieving security against such attacks is well-known to be challenging and was only recently solved in the PKE case via lossy encryption. We explain why those methods wont work for IBE and instead rely on an approach based on encryption schemes that have a property we call one-sided public openability. Our SOA-secure IBE scheme is quite efficient and proven secure without random oracles based on the Decision Linear assumption.
Encryption Schemes Secure under Selective Opening Attack
The existence of encryption schemes secure under selective opening attack (SOA) has remained open despite considerable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underlying tool is lossy encryption. The schemes have short keys. (Public and secret keys of a fixed length suffice for encrypting an arbitrary number of messages.) The schemes are stateless and noninteractive, and security does not rely on erasures. The schemes are without random oracles, proven secure under standard assumptions (DDH, Pailliers DCR, QR, lattices), and even efficient. We are able to meet both an indistinguishability (IND-SO-ENC) and a simulation-style, semantic security (SEM-SO-ENC) definition.
The Power of Proofs-of-Possession: Securing Multiparty Signatures against Rogue-Key Attacks
Multiparty signature protocols need protection against rogue-key attacks, made possible whenever an adversary can choose its public key(s) arbitrarily. For many schemes, provable security has only been established under the knowledge of secret key (KOSK) assumption where the adversary is required to reveal the secret keys it utilizes. In practice, certifying authorities rarely require the strong proofs of knowledge of secret keys required to substantiate the KOSK assumption. Instead, proofs of possession (POPs) are required and can be as simple as just a signature over the certificate request message. We propose a general registered key model, within which we can model both the KOSK assumption and in-use POP protocols. We show that simple POP protocols yield provable security of Boldyreva's multisignature scheme , the LOSSW multisignature scheme , and a 2-user ring signature scheme due to Bender, Katz, and Morselli . Our results are the first to provide formal evidence that POPs can stop rogue-key attacks.