International Association for Cryptologic Research

International Association
for Cryptologic Research


Raylin Tso


Group Password-Authenticated Key Exchange from Identity-Based Cryptosystem
Xun Yi Raylin Tso Eiji Okamoto
Password-authenticated key exchange (PAKE) protocols are designed to be secure even when the secret key used for authentication is a human-memorable password. In this paper, we consider PAKE protocols in the group scenario, in which a group of clients, each of them shares a password with an "honest but curious" server, intend to establish a common secret key (i.e., a group key) with the help of the server. In this setting, the key established is known to the clients only and no one else, including the server. Each client needs to remember passwords only while the server keeps passwords in addition to private keys related to his identity. Towards our goal, we present the first compiler that transforms any group key exchange (KE) protocol secure against a passive eavesdropping to a group PAKE which is secure against an active adversary who controls all communication in the network. This compiler is built on any group KE protocol (e.g., the Burmester-Desmedt protocol), any identity-based encryption (IBE) scheme (e.g., Gentry's scheme), and any identity-based signature (IBS) scheme (e.g., Paterson-Schuldt scheme). It adds only two rounds and O(1) communication (per client) to the original group KE protocol. As long as a group PAKE protocol is constructed by our compiler with a group KE protocol, an IBE scheme and an IBS scheme which have provably security without random oracles, it can be proven to be secure without random oracles.
An Efficient ID-based Digital Signature with Message Recovery Based on Pairing
Signature schemes with message recovery have been wildly investigated a decade ago in the literature, but the first ID-based signature with message recovery goes out into the world until 2005. In this paper, we first point out and revise one little but important problem which occurs in the previous ID-based signature with message recovery scheme. Then, by completely different setting, we propose a new ID-based signature scheme with message recovery. Our scheme is much more efficient than the previous scheme. In our scheme (as well as other signature schemes with message recovery), the message itself is not required to be transmitted together with the signature, it turns out to have the least data size of communication cost comparing with generic (not short) signature schemes. Although the communication overhead is still larger than Boneh et al. 's short signature (which is not ID-based), the computational cost of our scheme is more efficient than Boneh et al. 's scheme in the verification phase. We will also prove that the proposed scheme is provably secure in the random oracle model under CDH Assumption.
Simple and Provable Secure Strong Designated Verifier Signature Schemes
In this paper, we introduce a simple strong-designated verifier signature (SDVS) scheme which is much more efficient than previously proposed SDVS schemes. In addition, with only one more parameter published by the signer, this scheme can provide signer's forward security. That is, the consistency of a signature cannot be verified by any third party even if he/she knows a signer's private key. Thus the privacy of a signer's identity is protected independently in each signature, if the designated verifier's private key has not been disclosed. In addition, this scheme can be easily modified to a designated verifier signcryption scheme with virtually no additional cost. We will also show that the proposed scheme is provably secure in the random oracle model.
A Share-Correctable Protocol for the Shamir Threshold Scheme and Its Application to Participant Enrollment
Verifiable secret sharing schemes proposed so far can only allow participants to verify whether their shares are correct or not. In this paper, we propose a new protocol which can allow participants not only to verify the correctness of their shares but also to revise the faulty shares. It is achieved in a cooperative way by participants, but without any assistance from the dealer. This protocol, to the best of our knowledge, is the first one providing such kind of ability. Correcting shares by participants instead of the dealer is important in many situations. In addition, this protocol is also useful for adding new participants without the dealer's assistance.


Chunxiang Gu (1)
Ying Miao (1)
Takeshi Okamoto (3)
Eiji Okamoto (4)
Xun Yi (1)