Spatial encryption supporting non-monotone access structure

We investigate a variant of spatial encryption (SE) we call ciphertext-policy SE (CP-SE), which combines the properties of SE and those from ciphertext-policy attribute-based encryption (CP-ABE). The resulting primitive supports non-monotone access structure. In CP-SE, the decryptability of a ciphertext depends on whether or not the required attribute vectors are in the same affine space that also corresponds to the decryption key. This gives rise to many new applications, for example, SE supporting negation, hierarchical ABE and forward-secure ABE. In this paper, we present techniques for generic construction of CP-SE from ciphertext-policy inner product encryption (CP-IPE). Our techniques are property-preserving in the sense that if the CP-IPE scheme from which we derive our CP-SE scheme is fully secure, for example, then so is the resulting CP-SE scheme. Moreover, interestingly, we show that it is possible to perform transformation of the opposite direction, that is, how to construct a CP-IPE scheme given a CP-SE scheme.     

Efficient public key encryption with smallest ciphertext expansion from factoring

For public key encryption schemes, adaptive chosen ciphertext security is a widely accepted security notion since it captures a wide range of attacks. SAEP and SAEP+ are asymmetric encryption schemes which were proven to achieve semantic security against adaptive chosen ciphertext attacks. However, the bandwidth for message is essentially worse, that is the ciphertext expansion (the length difference between the ciphertext and the plaintext) is too large. In most of the mobile networks and bandwidth constrained communication systems, it is necessary to securely send as many messages as possible. In this article, we propose two chosen-ciphertext secure asymmetric encryption schemes. The first scheme is a generic asymmetric encryption padding scheme based on trapdoor permutations. The second one is its application to the Rabin-Williams function which has a very fast encryption algorithm. These asymmetric encryption schemes both achieve the optimal bandwidth w.r.t. the ciphertext expansion, namely with the smallest ciphertext expansion. Further, tight security reductions are shown to prove the security of these encryption schemes.     

Leakage-resilient attribute based encryption in prime-order groups via predicate encodings

Recently, leakage-resilient cryptography has become a hot research topic. It seeks to build more robust models of adversarial access to cryptographic algorithms. The main goal is to design a scheme that remains secure even when arbitrary, yet bounded, information about secret key is leaked. In this paper, we present a modular framework for designing leakage-resilient attribute-based encryption (ABE) schemes based on extended predicate encoding. We first extend the predicate encoding to the leakage-resilient predicate encoding; and then, design several leakage-resilient predicate encodings, and finally give a generic construction of leakage-resilient ABE based on the newly proposed encodings. Moreover, we can instantiate our framework in prime order bilinear groups to obtain concrete constructions, and prove their full security under the standard k-Lin assumption in the continual memory leakage model.     

The relation and transformation between hierarchical inner product encryption and spatial encryption

Hierarchical inner product encryption (HIPE) and spatial encryption (SE) are two important classes of functional encryption that have numerous applications. Although HIPE and SE both involve some notion of linear algebra, the former works in vectors while the latter is based on (affine) spaces. Moreover, they currently possess different properties in terms of security, anonymity (payload/attribute-hiding) and ciphertext sizes, for example. In this paper, we formally study the relation between HIPE and SE. In our work, we discover some interesting and novel property-preserving transformation techniques that enable generic construction of an SE scheme from an HIPE scheme, and vice versa.     

Improved hidden vector encryption with short ciphertexts and tokens

Hidden vector encryption (HVE) is a particular kind of predicate encryption that is an important cryptographic primitive having many applications, and it provides conjunctive equality, subset, and comparison queries on encrypted data. In predicate encryption, a ciphertext is associated with attributes and a token corresponds to a predicate. The token that corresponds to a predicate f can decrypt the ciphertext associated with attributes x if and only if f(x) = 1. Currently, several HVE schemes were proposed where the ciphertext size, the token size, and the decryption cost are proportional to the number of attributes in the ciphertext. In this paper, we construct efficient HVE schemes where the token consists of just four group elements and the decryption only requires four bilinear map computations, independent of the number of attributes in the ciphertext. We first construct an HVE scheme in composite order bilinear groups and prove its selective security under the well-known assumptions. Next, we convert it to use prime order asymmetric bilinear groups where there are no efficiently computable isomorphisms between two groups.     

Fully collusion-resistant traitor tracing scheme with shorter ciphertexts

A traitor tracing scheme allows a content distributor to detect at least one of the traitors whose secret key is used to create a pirate decoder. In building efficient traitor tracing schemes, reducing ciphertext size is a significant factor since the traitor tracing scheme must handle a larger number of users. In this paper, we present a fully collusion-resistant traitor tracing scheme where the ciphertext size is 2.8 times shorter and encryption time is 2.6 times faster, compared to the best cases of fully collusion-resistant schemes previously suggested. We can achieve these efficiency results without sacrificing other costs. Also, our scheme supports public tracing and black-box tracing. To achieve our goal, we use asymmetric bilinear maps in prime order groups, and we introduce a new cancellation technique that has the same effect as that in composite order groups.     

Signcryption schemes with threshold unsigncryption,and applications

The goal of a signcryption scheme is to achieve the same functionalities as encryption and signature together, but in a more efficient way than encrypting and signing separately. To increase security and reliability in some applications, the unsigncryption phase can be distributed among a group of users, through a (t, n)-threshold process. In this work we consider this task of threshold unsigncryption, which has received very few attention from the cryptographic literature up to now (maybe surprisingly, due to its potential applications). First we describe in detail the security requirements that a scheme for such a task should satisfy: existential unforgeability and indistinguishability, under insider chosen message/ciphertext attacks, in a multi-user setting. Then we show that generic constructions of signcryption schemes (by combining encryption and signature schemes) do not offer this level of security in the scenario of threshold unsigncryption. For this reason, we propose two new protocols for threshold unsigncryption, which we prove to be secure, one in the random oracle model and one in the standard model. The two proposed schemes enjoy an additional property that can be very useful. Namely, the unsigncryption protocol can be divided in two phases: a first one where the authenticity of the ciphertext is verified, maybe by a single party; and a second one where the ciphertext is decrypted by a subset of t receivers, without using the identity of the sender. As a consequence, the schemes can be used in applications requiring some level of anonymity, such as electronic auctions.     

前向安全的指定验证人代理多重签名方案

基于有限域上离散对数难解问题和强RSA假设,提出了一个前向安全的指定验证人代理多重签名方案.在方案中,代理签名人不仅可以代表多个原始签名人生成指定验证人的代理多重签名,确保只有原始签名人指定的验证人可以验证代理多重签名的有效性;而且在该方案中,代理多重签名是前向安全的,即使代理签名人当前时段的代理多重签名密钥被泄漏,敌手也不能伪造此时段之前的代理多重签名,以前所产生的代理多重签名依然有效.     

一种改进的代理多重签名方案

周等人提出的一种代理多重签名方案由于执行效率高、实现相对简单,因而有着广泛的应用.通过对该方案进行安全性分析,指出该方案容易受到内外两种伪造攻击,因此在安全性上有所欠缺,同时文中给出了相应的攻击方法.最后提出一种新的改进方案,通过加入公钥验证和签名参数处理机制,从而能够有效抵抗内外两种伪造攻击.     

New results and applications for multi-secret sharing schemes

In a multi-secret sharing scheme (MSSS), \(\ell \) different secrets are distributed among the players in some set \(\mathcal{P }=\{P_1,\ldots ,P_n\}\) , each one according to an access structure. The trivial solution to this problem is to run \(\ell \) independent instances of a standard secret sharing scheme, one for each secret. In this solution, the length of the secret share to be stored by each player grows linearly with \(\ell \) (when keeping all other parameters fixed). Multi-secret sharing schemes have been studied by the cryptographic community mostly from a theoretical perspective: different models and definitions have been proposed, for both unconditional (information-theoretic) and computational security. In the case of unconditional security, there are two different definitions. It has been proved that, for some particular cases of access structures that include the threshold case, a MSSS with the strongest level of unconditional security must have shares with length linear in \(\ell \) . Therefore, the optimal solution in this case is equivalent to the trivial one. In this work we prove that, even for a more relaxed notion of unconditional security, and for some kinds of access structures (in particular, threshold ones), we have the same efficiency problem: the length of each secret share must grow linearly with \(\ell \) . Since we want more efficient solutions, we move to the scenario of MSSSs with computational security. We propose a new MSSS, where each secret share has constant length (just one element), and we formally prove its computational security in the random oracle model. To the best of our knowledge, this is the first formal analysis on the computational security of a MSSS. We show the utility of the new MSSS by using it as a key ingredient in the design of two schemes for two new functionalities: multi-policy signatures and multi-policy decryption. We prove the security of these two new multi-policy cryptosystems in a formal security model. The two new primitives provide similar functionalities as attribute-based cryptosystems, with some advantages and some drawbacks that we discuss at the end of this work.     

Breaking a modified substitution–diffusion image cipher based on chaotic standard and logistic maps

Recently, an image encryption scheme based on chaotic standard and logistic maps was proposed by Patidar et al. It was later reported by Rhouma et al. that an equivalent secret key can be reconstructed with only one known/chosen-plaintext and the corresponding ciphertext. Patidar et al. soon modified the original scheme and claimed that the modified scheme is secure against Rhouma et al.’s attack. In this paper, we point out that the modified scheme is still insecure against the same known/chosen-plaintext attack. In addition, some other security defects existing in both the original and the modified schemes are also reported.     

Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.     

Ordering policy and coordination of a supply chain with two-period demand uncertainty

We develop a two-period game model of a one-manufacturer and one-retailer supply chain to investigate the optimal decisions of the players, where stock-out and holding costs are incorporated into the model. The demand at each period is stochastic and price sharply drops in mid-life. We assume the retailer has a single order opportunity, and decides how much inventory to keep in the middle of selling season. We show that both the price-protection mid-life and end-of-life returns (PME) scheme and the only mid-life and end-of-life returns (ME) scheme may achieve channel coordination and access a ‘win-win’ situation under some conditions. The larger the lowest expected profit of the retailer, the lower the possibility of ‘win-win’ situation will be. Combined with the analysis of feasible regions for coordination policies, we find that PME scheme is not always better than ME scheme from the perspective of implementable mechanism. Finally, we find that adopting the dispose-down-to (DDT) policy can bring a larger improvement of the expected channel profit in the centralized setting, and it is interesting that by using DDT policy, double marginalization occurs only at Period 1, and however, does not plague the retailer in Period 2.     

PQ oligopoly,proportional rationing,and randomly ordered consumers

In a PQ oligopoly, firms pick prices and quantities simultaneously, and unlike with the traditional Cournot and Bertrand models, market clearing is not imposed. It is thus necessary to specify the rationing rule. Proportional rationing is one of the popular choices, often justified through a notion of randomly ordered consumers with varied reservation prices. However, such a setting would render firm-specific demand a random variable, a fact overlooked in existing models. In the paper, we (1) formalise the notion of randomly ordered consumers into a new stochastic version of the proportional rationing scheme, (2) derive the probabilistic properties of firm-specific demand under this new scheme, and (3) show that the results of the stochastic and deterministic versions are not entirely consistent.     

Semantic security for the McEliece cryptosystem without random oracles

In this paper, we formally prove that padding the plaintext with a random bit-string provides the semantic security against chosen plaintext attack (IND-CPA) for the McEliece (and its dual, the Niederreiter) cryptosystems under the standard assumptions. Such padding has recently been used by Suzuki, Kobara and Imai in the context of RFID security. Our proof relies on the technical result by Katz and Shin from Eurocrypt ’05 showing “pseudorandomness” implied by the learning parity with noise (LPN) problem. We do not need the random oracles as opposed to the known generic constructions which, on the other hand, provide a stronger protection as compared to our scheme—against (adaptive) chosen ciphertext attack, i.e., IND-CCA(2). In order to show that the padded version of the cryptosystem remains practical, we provide some estimates for suitable key sizes together with corresponding workload required for successful attack.     

Efficient hybrid encryption from ID-based encryption

This paper deals with generic transformations from ID-based key encapsulation mechanisms (IBKEM) to hybrid public-key encryption (PKE). The best generic transformation known until now is by Boneh and Katz and requires roughly 704-bit overhead in the ciphertext. We present new generic transformations that are applicable to partitioned IBKEMs. A partitioned IBKEM is an IBKEM that provides some extra structure. Such IBKEMs are quite natural and in fact nearly all known IBKEMs have this additional property. Our first transformation yields chosen-ciphertext secure PKE schemes from selective-ID secure partitioned IBKEMs with a 256-bit overhead in ciphertext size plus one extra exponentiation in encryption/decryption. As the central tool a Chameleon Hash function is used to map the identities. We also propose other methods to remove the use of Chameleon Hash, which may be of independent technical interest. Applying our transformations to existing IBKEMs we propose a number of novel PKE schemes with different trade-offs. In some concrete instantiations the Chameleon Hash can be made “implicit” which results in improved efficiency by eliminating the additional exponentiation. Since our transformations preserve the public verifiability property of the IBE schemes it is possible to extend our results to build threshold hybrid PKE schemes. We show an analogue generic transformation in the threshold setting and present a concrete scheme which results in the most efficient threshold PKE scheme in the standard model.     

Group homomorphic encryption: characterizations, impossibility results, and applications

We give a complete characterization both in terms of security and design of all currently existing group homomorphic encryption schemes, i.e., existing encryption schemes with a group homomorphic decryption function such as ElGamal and Paillier. To this end, we formalize and identify the basic underlying structure of all existing schemes and say that such schemes are of shift-type. Then, we construct an abstract scheme that represents all shift-type schemes (i.e., every scheme occurs as an instantiation of the abstract scheme) and prove its IND-CCA1 (resp. IND-CPA) security equivalent to the hardness of an abstract problem called Splitting Oracle-Assisted Subgroup Membership Problem (SOAP) (resp. Subgroup Membership Problem, SMP). Roughly, SOAP asks for solving an SMP instance, i.e., for deciding whether a given ciphertext is an encryption of the neutral element of the ciphertext group, while allowing access to a certain oracle beforehand. Our results allow for contributing to a variety of open problems such as the IND-CCA1 security of Paillier’s scheme, or the use of linear codes in group homomorphic encryption. Furthermore, we design a new cryptosystem which provides features that are unique up to now: Its IND-CPA security is based on the k-linear problem introduced by Shacham, and Hofheinz and Kiltz, while its IND-CCA1 security is based on a new k-problem that we prove to have the same progressive property, namely that if the k-instance is easy in the generic group model, the (k+1)-instance is still hard.     

The persistent‐access‐caching algorithm

Caching is widely recognized as an effective mechanism for improving the performance of the World Wide Web. One of the key components in engineering the Web caching systems is designing document placement/replacement algorithms for updating the collection of cached documents. The main design objectives of such a policy are the high cache hit ratio, ease of implementation, low complexity and adaptability to the fluctuations in access patterns. These objectives are essentially satisfied by the widely used heuristic called the least‐recently‐used (LRU) cache replacement rule. However, in the context of the independent reference model, the LRU policy can significantly underperform the optimal least‐frequently‐used (LFU) algorithm that, on the other hand, has higher implementation complexity and lower adaptability to changes in access frequencies. To alleviate this problem, we introduce a new LRU‐based rule, termed the persistent‐access‐caching (PAC), which essentially preserves all of the desirable attributes of the LRU scheme. For this new heuristic, under the independent reference model and generalized Zipf's law request probabilities, we prove that, for large cache sizes, its performance is arbitrarily close to the optimal LFU algorithm. Furthermore, this near‐optimality of the PAC algorithm is achieved at the expense of a negligible additional complexity for large cache sizes when compared to the ordinary LRU policy, since the PAC algorithm makes the replacement decisions based on the references collected during the preceding interval of fixed length. © 2008 Wiley Periodicals, Inc. Random Struct. Alg., 2008     

状态离散的确定性多阶段群体决策的满意策略

为了求解状态离散的确定性多阶段群体决策问题,建立了多阶段群体决策模型,定义了群体Pareto最优策略、群体满意策略等概念,依据Bellman最优性原理,提出了多阶段群体决策问题的逆向递推算法,并通过引入偏好关系,得到了各阶段的子过程群体满意策略以及全过程群体满意策略,最后给出了一个计算实例．     

A simple and efficient tabu search heuristic for solving the open vehicle routing problem

The open vehicle routing problem (VRP) is an immediate variant of the standard vehicle routing problem where the vehicle need not return to the depot after servicing its last customer. In this paper, we present results on an implementation of the attribute-based hill climber heuristic to the open VRP. The attribute-based hill climber heuristic is a parameter-free variant of the tabu search principle and has shown to be highly effective for the standard vehicle routing problem.