XTR-Kurosawa-Desmedt Scheme

This paper proposes an XTR version of the Kurosawa-Desmedt scheme. Our scheme is secure against adaptive chosen-ciphertext attack under the XTR version of the Decisional Diffie-Hellman assumption in the standard model. Comparing efficiency between the Kurosawa-Desmedt scheme and the proposed XTR-Kurosawa-Desmedt scheme, we find that the proposed scheme is more efficient than the Kurosawa-Desmedt scheme both in communication and computation without compromising security.     

XTR-Kurosawa-Desmedt Scheme

This paper proposes an XTR version of the Kurosawa-Desmedt scheme. Our scheme is secure against adaptive chosen-ciphertext attack under the XTR version of the Decisional Diffie- Hellman assumption in the standard model. Comparing efficiency between the Kurosawa-Desmedt scheme and the proposed XTR-Kurosawa-Desmedt scheme, we find that the proposed scheme is more efficient than the Kurosawa-Desmedt scheme both in communication and computation without compromising security.     

Efficient discrete logarithm based multi-signature scheme in the plain public key model

In this paper, we provide a new multi-signature scheme that is proven secure in the plain public key model. Our scheme is practical and efficient according to computational costs, signature size and security assumptions. At first, our scheme matches the single ordinary discrete logarithm based signature scheme in terms of signing time, verification time and signature size. Secondly, our scheme requires only two rounds of interactions and each signer needs nothing more than a certified public key to produce the signature, meaning that our scheme is compatible with existing PKIs. Thirdly, our scheme has been proven secure in the random oracle model under standard discrete logarithm (DL) assumption. It outperforms a newly proposed multi-signature scheme by Bagherzandi, Cheon and Jarecki (BCJ scheme) in terms of both computational costs and signature size.     

Signcryption schemes with threshold unsigncryption,and applications

The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.     

A Public Key Cryptosystem Based On A Subgroup Membership Problem

We present a novel public key encryption scheme semantically secure in the standard model under the intractability assumption of a subgroup membership problem related to the factorization problem.Parts of this paper have already been published by the authors [13]AMS classification: 94A60     

基于MSP秘密共享的（t，n）门限群签名方案

门限群签名是群签名中重要的—类,它是秘钥共享与群签名的有机结合．本文通过文献[5]中的MSP方案（Monotone Span Program）,提出了一种新的门限群签名方案．在本签名方案建立后,只有达到门限的群成员的联合才能生成—个有效的群签名,并且可以方便的加入或删除成员．一旦发生争议,只有群管理员才能确定签名人的身份．该方案能够抵抗合谋攻击：即群中任意一组成员合谋都无法恢复群秘钥k．本方案的安全性基于Gap Diffie-Hellman群上的计算Diffie-Hellmanl可题难解上,因此在计算上是最安全的．     

Fine-grained forward-secure signature schemes without random oracles

We propose the concept of fine-grained forward-secure signature schemes. Such signature schemes not only provide non-repudiation w.r.t. past time periods the way ordinary forward-secure signature schemes do but, in addition, allow the signer to specify which signatures of the current time period remain valid when revoking the public key. This is an important advantage if the signer produces many signatures per time period as otherwise the signer would have to re-issue those signatures (and possibly re-negotiate the respective messages) with a new key.Apart from a formal model for fine-grained forward-secure signature schemes, we present practical schemes and prove them secure under the strong RSA assumption only, i.e., we do not resort to the random oracle model to prove security. As a side-result, we provide an ordinary forward-secure scheme whose key-update time is significantly smaller than that of known schemes which are secure without assuming random oracles.     

前向安全的指定验证人代理多重签名方案

基于有限域上离散对数难解问题和强RSA假设,提出了一个前向安全的指定验证人代理多重签名方案.在方案中,代理签名人不仅可以代表多个原始签名人生成指定验证人的代理多重签名,确保只有原始签名人指定的验证人可以验证代理多重签名的有效性;而且在该方案中,代理多重签名是前向安全的,即使代理签名人当前时段的代理多重签名密钥被泄漏,敌手也不能伪造此时段之前的代理多重签名,以前所产生的代理多重签名依然有效.     

More efficient DDH pseudorandom generators

In this paper, we first show a DDH Lemma, which states that a multi-variable version of the decisional Diffie–Hellman problem is hard under the standard DDH assumption, where the group size is not necessarily known. Our proof, based on a self-reducibility technique, has a small reduction complexity. Using DDH Lemma, we extend the FSS pseudorandom generator of Farashahi et al. to a new one. The new generator is almost twice faster than FSS while still provably secure under the DDH assumption. Using the similar technique for the RSA modulus, we improve the Goldreich–Rosen generator. The new generator is provably secure under the factoring assumption and DDH assumption over \mathbbZ_N^*{\mathbb{Z}_N^*}. Evidently, to achieve the same security level, different generators may have different security parameters (e.g., distinct length of modulus). We compare our generators with other generators under the same security level. For simplicity, we make comparisons without any pre-computation. As a result, our first generator is the most efficient among all generators that are provably secure under standard assumptions. It has the similar efficiency as Gennaro generator, where the latter is proven secure under a non-standard assumption. Our second generator is more efficient than Goldreich–Rosen generator.     

Leakage-resilient attribute based encryption in prime-order groups via predicate encodings

Recently, leakage-resilient cryptography has become a hot research topic. It seeks to build more robust models of adversarial access to cryptographic algorithms. The main goal is to design a scheme that remains secure even when arbitrary, yet bounded, information about secret key is leaked. In this paper, we present a modular framework for designing leakage-resilient attribute-based encryption (ABE) schemes based on extended predicate encoding. We first extend the predicate encoding to the leakage-resilient predicate encoding; and then, design several leakage-resilient predicate encodings, and finally give a generic construction of leakage-resilient ABE based on the newly proposed encodings. Moreover, we can instantiate our framework in prime order bilinear groups to obtain concrete constructions, and prove their full security under the standard k-Lin assumption in the continual memory leakage model.     

How (Not) to design strong-RSA signatures

This paper considers strong-RSA signature schemes built from the scheme of Cramer and Shoup. We present a basic scheme encompassing the main features of the Cramer-Shoup scheme. We analyze its security in both the random oracle model and the standard model. This helps us to spot potential security flaws. As a result, we show that a seemingly secure signature scheme (Tan in Int J Security Netw 1(3/4): 237?C242, 2006) is universally forgeable under a known-message attack. In a second step, we discuss how to turn the basic scheme into a fully secure signature scheme. Doing so, we rediscover several known schemes (or slight variants thereof).     

Weakness and improvement on Wang–Li–Tie’s user-friendly remote authentication scheme

In an open network environment, the remote authentication scheme using smart cards is a very practical solution to validate the legitimacy of a remote user. In 2003, Wu and Chieu presented a user-friendly remote authentication scheme using smart cards. Recently, Wang, Li, and Tie found that Wu–Chieu’s scheme is vulnerable to the forged login attack, and then presented an improvement to eliminate this vulnerability. In our opinion, the smart card plays an important role in those schemes. Therefore, we demonstrate that Wang–Li–Tie’s scheme is not secure under the smart card loss assumption. If an adversary obtains a legal user’s smart card even without the user’s corresponding password, he can easily use it to impersonate the user to pass the server’s authentication. We further propose an improved scheme to overcome this abuse of the smart card.     

Multiround Unconditionally Secure Authentication

Authentication codes are used to protect communication against a malicious adversary. In this paper we investigate unconditionally secure multiround authentication schemes. In a multiround scheme a message is authenticated by passing back and forth several codewords between the sender and receiver. We define a multiround authentication model and show how to calculate the probability of a successful attack for this model. We prove the security for a 3-round scheme and give a construction for the 3-round scheme based on Reed-Solomom codes. This construction has a very small key size for even extremely large messages. Furthermore, a secure scheme for an arbitrary number of rounds is given. We give a new upper bound for the keys size of an n-round scheme.     

On the relations between non-interactive key distribution,identity-based encryption and trapdoor discrete log groups

This paper investigates the relationships between identity-based non-interactive key distribution (ID-NIKD) and identity-based encryption (IBE). It provides a new security model for ID-NIKD, and a construction that converts a secure ID-NIKD scheme satisfying certain conditions into a secure IBE scheme. This conversion is used to explain the relationship between the ID-NIKD scheme of Sakai, Ohgishi and Kasahara and the IBE scheme of Boneh and Franklin. The paper then explores the construction of ID-NIKD and IBE schemes from general trapdoor discrete log groups. Two different concrete instantiations for such groups provide new, provably secure ID-NIKD and IBE schemes. These schemes are suited to applications in which the Trusted Authority is computationally well-resourced, but clients performing encryption/decryption are highly constrained.      

A CCA-secure key-policy attribute-based proxy re-encryption in the adaptive corruption model for dropbox data sharing system

The notion of attribute-based proxy re-encryption extends the traditional proxy re-encryption to the attribute-based setting. In an attribute-based proxy re-encryption scheme, the proxy can convert a ciphertext under one access policy to another ciphertext under a new access policy without revealing the underlying plaintext. Attribute-based proxy re-encryption has been widely used in many applications, such as personal health record and cloud data sharing systems. In this work, we propose the notion of key-policy attribute-based proxy re-encryption, which supports any monotonic access structures on users’ keys. Furthermore, our scheme is proved against chosen-ciphertext attack secure in the adaptive model.     

Semiparametric empirical likelihood estimation for two-stage outcome-dependent sampling under the frame of generalized linear models

Epidemiologic studies use outcome-dependent sampling （ODS） schemes where, in addition to a simple random sample, there are also a number of supplement samples that are collected based on outcome variable. ODS scheme is a cost-effective way to improve study efficiency. We develop a maximum semiparametric empirical likelihood estimation （MSELE） for data from a two-stage ODS scheme under the assumption that given covariate, the outcome follows a general linear model. The information of both validation samples and nonvalidation samples are used. What is more, we prove the asymptotic properties of the proposed MSELE.     

Pre-commitment vs. time-consistent strategies for the generalized multi-period portfolio optimization with stochastic cash flows

In this paper, we propose a multi-period portfolio optimization model with stochastic cash flows. Under the mean–variance preference, we derive the pre-commitment and time-consistent investment strategies by applying the embedding scheme and backward induction approach, respectively. We show that the time-consistent strategy is identical to the optimal open-loop strategy. Also, under the exponential utility preference, we develop the optimal strategy for multi-period investment, which is time-consistent. We show that the above two time-consistent strategies are equivalent in some cases. We compare the pre-commitment and time-consistent strategies under different situations with some numerical simulations. The results indicate that the time-consistent strategy is more stable and secure than pre-commitment strategy under the generalized mean–variance criterion.     

Convergence of simple adaptive Galerkin schemes based on h − h/2 error estimators

We discuss several adaptive mesh-refinement strategies based on (h − h/2)-error estimation. This class of adaptive methods is particularly popular in practise since it is problem independent and requires virtually no implementational overhead. We prove that, under the saturation assumption, these adaptive algorithms are convergent. Our framework applies not only to finite element methods, but also yields a first convergence proof for adaptive boundary element schemes. For a finite element model problem, we extend the proposed adaptive scheme and prove convergence even if the saturation assumption fails to hold in general.     

Lattice-based completely non-malleable public-key encryption in the standard model

An encryption scheme is non-malleable if giving an encryption of a message to an adversary does not increase its chances of producing an encryption of a related message (under a given public key). Fischlin introduced a stronger notion, known as complete non-malleability, which requires attackers to have negligible advantage, even if they are allowed to transform the public key under which the related message is encrypted. Ventre and Visconti later proposed a comparison-based definition of this security notion, which is more in line with the well-studied definitions proposed by Bellare et al. The authors also provide additional feasibility results by proposing two constructions of completely non-malleable schemes, one in the common reference string model using non-interactive zero-knowledge proofs, and another using interactive encryption schemes. Therefore, the only previously known completely non-malleable (and non-interactive) scheme in the standard model, is quite inefficient as it relies on generic NIZK approach. They left the existence of efficient schemes in the common reference string model as an open problem. Recently, two efficient public-key encryption schemes have been proposed by Libert and Yung, and Barbosa and Farshim, both of them are based on pairing identity-based encryption. At ACISP 2011, Sepahi et al. proposed a method to achieve completely non-malleable encryption in the public-key setting using lattices but there is no security proof for the proposed scheme. In this paper we review the mentioned scheme and provide its security proof in the standard model. Our study shows that Sepahi’s scheme will remain secure even for post-quantum world since there are currently no known quantum algorithms for solving lattice problems that perform significantly better than the best known classical (i.e., non-quantum) algorithms.     

Tightly CCA-secure identity-based encryption with ciphertext pseudorandomness

Affine message authentication code (MAC) and delegatable affine MAC turn out to be useful tools for constructing identity-based encryption (IBE) and hierarchical IBE (HIBE), as shown in Blazy, Kiltz and Pan’s (BKP) creative work in CRYPTO (2014). An important result obtained by BKP is IBE of tight PR-ID-CPA security, i.e., tight IND-ID-CPA security together with ciphertext pseudorandomness (PR). However, the problem of designing tightly PR-ID-CCA2 secure IBE remains open. We note that the CHK transformation does not preserve ciphertext pseudorandomness when converting IND-ID-CPA secure 2-level HIBE to IND-ID-CCA2 secure IBE. In this paper, we solve this problem with a new approach. We introduce a new concept called De-randomized delegatable affine MAC and define for it weak APR-CMA security. We construct such a MAC with a tight security reduction to the Matrix DDH assumption, which includes the k-Linear and DDH assumptions. We present a paradigm for constructing PR-ID-CCA2 secure IBE, which enjoys both ciphertext pseudorandomness and IND-ID-CCA2 security, from De-randomized delegatable affine MAC and Chameleon hashing. The security reduction is tightness preserving. It provides another approach to IND-ID-CCA2 security besides the CHK transformation. By instantiating the paradigm with our specific De-randomized delegatable affine MAC, we obtain the first IBE of tight PR-ID-CCA2 security from the Matrix DDH assumption over pairing groups of prime order. Our IBE also serves as the first tightly IND-ID-CCA2 secure IBE with anonymous recipient (ANON-ID-CCA2) from the Matrix DDH assumption. Our IBE further implies the first tightly IND-ID-CCA2 secure extractable IBE based on the Matrix DDH assumption. The latter can be used to get IBE of simulation-based selective opening CCA2 (SIM-SO-CCA2) security (due to Lai et al. in EUROCRYPT, 2014). The tight security of our IBE leads to a tighter reduction of the SIM-SO-CCA2 security.