Hedged Nonce-Based Public-Key Encryption: Adaptive Security Under Randomness Failures
Nowadays it is well known that randomness may fail due to bugs or deliberate randomness subversion. As a result, the security of traditional public-key encryption (PKE) cannot be guaranteed any more. Currently there are mainly three approaches dealing with the problem of randomness failures: deterministic PKE, hedged PKE, and nonce-based PKE. However, these three approaches only apply to different application scenarios respectively. Since the situations in practice are dynamic and very complex, it’s almost impossible to predict the situation in which a scheme is deployed, and determine which approach should be used beforehand.In this paper, we initiate the study of hedged security for nonce-based PKE, which adaptively applies to the situations whenever randomness fails, and achieves the best-possible security. Specifically, we lift the hedged security to the setting of nonce-based PKE, and formalize the notion of chosen-ciphertext security against chosen-distribution attacks (IND-CDA2) for nonce-based PKE. By presenting two counterexamples, we show a separation between our IND-CDA2 security for nonce-based PKE and the original NBP1/NBP2 security defined by Bellare and Tackmann (EUROCRYPT 2016). We show two nonce-based PKE constructions meeting IND-CDA2, NBP1 and NBP2 security simultaneously. The first one is a concrete construction in the random oracle model, and the second one is a generic construction based on a nonce-based PKE scheme and a deterministic PKE scheme.
Attribute-Based Ring Signatures
Ring signature was proposed to keep signer's anonymity when it signs messages on behalf of a ``ring" of possible signers. In this paper, we propose a novel notion of ring signature which is called attribute-based ring signature. In this kind of signature, it allows the signer to sign message with its attributes from attribute center. All users that possess of these attributes form a ring. The identity of signer is kept anonymous in this ring. Furthermore, anyone out of this ring could not forge the signature on behalf of the ring. Two constructions of attribute-based ring signature are also presented in this paper. The first scheme is proved to be secure in the random oracle model, with large universal attributes. We also present another scheme in order to avoid the random oracle model. It does not rely on non-standard hardness assumption or random oracle model. Both schemes in this paper are based on standard computational Diffie-Hellman assumption.
Towards Security Two-part Authenticated Key Agreement Protocols
We first present a new security 2-AK protocol, which is more secure and more efficient than previously proposed ones. Meanwhile, we point that Xie's ID-2-AK protocol modified from McCullagh-Barreto in CT-RSA 2005 doesn't provide protection against KCI attack likewise, and finally utilize the modular arithmetic, first proposed in MQV and also used in Kim, to get a modified new ID-2-AK protocol. On second thoughts, we give another ID-2-AK protocol utilizing the operation of addition in finite field like our forenamed 2-AK protocol. The two ID-2-AK protocols are in possession of all the desired security attributes. We also compare our new protocols with others in terms of computational cost and security properties.
ID-based signature and Key-insulated threshold signature
Identity-based (simply ID-based) cryptosystem was proposed in order to simplify key management procedures of certificate-based public key infrastructures. In 2003 Sakai and Kasahara proposed a new ID-based encryption scheme (SK-IBE). In our paper, it is intended to build a new ID-based signature (IBS) scheme which shares the same system parameters with SK-IBE. SK-IBE and our signature scheme yield a new complete ID-based public key cryptosystem. The proposed signature scheme is provably secure against existential forgery for adaptive chosen message and identity attack in the random oracle model based on a reasonably well-explored hardness assumption. Another contribution of this paper is that we first propose the notion of key-insulated threshold signature and present a generic method for constructing key-insulated threshold signature scheme.