Chosen ciphertext secure keyed-homomorphic public-key cryptosystems

In homomorphic encryption schemes, anyone can perform homomorphic operations, and therefore, it is difficult to manage when, where and by whom they are performed. In addition, the property that anyone can “freely” perform the operation inevitably means that ciphertexts are malleable, and it is well-known that adaptive chosen ciphertext (CCA) security and the homomorphic property can never be achieved simultaneously. In this paper, we show that CCA security and the homomorphic property can be simultaneously handled in situations that the user(s) who can perform homomorphic operations on encrypted data should be controlled/limited, and propose a new concept of homomorphic public-key encryption, which we call keyed-homomorphic public-key encryption (KH-PKE). By introducing a secret key for homomorphic operations, we can control who is allowed to perform the homomorphic operation. To construct KH-PKE schemes, we introduce a new concept, transitional universal property, and present a practical KH-PKE scheme with multiplicative homomorphic operations from the decisional Diffie-Hellman (DDH) assumption. For \(\ell \)-bit security, our DDH-based KH-PKE scheme yields only \(\ell \)-bit longer ciphertext size than that of the Cramer–Shoup PKE scheme. Finally, we consider an identity-based analogue of KH-PKE, called keyed-homomorphic identity-based encryption and give its concrete construction from the Gentry IBE scheme.     

Super-strong RKA secure MAC,PKE and SE from tag-based hash proof system

\(\mathcal {F}\)-related-key attacks (RKA) on cryptographic systems consider adversaries who can observe the outcome of a system under not only the original key, say k, but also related keys f(k), with f adaptively chosen from \(\mathcal {F}\) by the adversary. In this paper, we define new RKA security notions for several cryptographic primitives including message authentication code (MAC), public-key encryption (PKE) and symmetric encryption (SE). This new kind of RKA notions are called super-strong RKA securities, which stipulate minimal restrictions on the adversary’s forgery or oracle access, thus turn out to be the strongest ones among existing RKA security requirements. We present paradigms for constructing super-strong RKA secure MAC, PKE and SE from a common ingredient, namely Tag-based hash proof system (THPS). We also present constructions for THPS based on the k-linear and the DCR assumptions. When instantiating our paradigms with concrete THPS constructions, we obtain super-strong RKA secure MAC, PKE and SE schemes for the class of restricted affine functions \(\mathcal {F}_{\text {raff}}\), of which the class of linear functions \(\mathcal {F}_{\text {lin}}\) is a subset. To the best of our knowledge, our MACs, PKEs and SEs are the first ones possessing super-strong RKA securities for a non-claw-free function class \(\mathcal {F}_{\text {raff}}\) in the standard model and under standard assumptions. Our constructions are free of pairing and are as efficient as those proposed in previous works. In particular, the keys, tags of MAC and ciphertexts of PKE and SE all consist of only a constant number of group elements.     

Anonymous and leakage resilient IBE and IPE

We construct identity-based encryption and inner product encryption schemes under the decision linear assumption. Their private user keys are leakage-resilient in several scenarios. In particular,

• In the bounded memory leakage model (Akavia et al., TCC, vol. 5444, pp. 474–495, 2009), our basic schemes reach the maximum-possible leakage rate \(1-o(1)\).
• In the continual memory leakage model (Brakerski et al., Overcoming the hole in the bucket: public-key cryptography resilient to continual memory leakage, 2010; Dodis et al., Cryptography against continuous memory attacks, 2010), variants of the above schemes enjoy leakage rate at least \(\frac{1}{2} -o(1)\). Among the results, we improve upon the work of Brakerski et al. by presenting adaptively secure IBE schemes.

In addition, we prove that our IBE schemes are anonymous under the DLIN assumption, so that ciphertexts leaks no information on the corresponding identities. Similarly, attributes in IPE are proved computationally hidden in the corresponding ciphertexts.

     

Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.     

Shorter identity-based encryption via asymmetric pairings

We present efficient identity-based encryption (IBE) under the symmetric external Diffie–Hellman (SXDH) assumption in bilinear groups; our scheme also achieves anonymity. In our IBE scheme, all parameters have constant numbers of group elements, and are shorter than those of previous constructions based on decisional linear (DLIN) assumption. Our construction uses both dual system encryption (Waters, CRYPTO 2009) and dual pairing vector spaces (Okamoto and Takashima, Pairing 2008; ASIACRYPT 2009). Specifically, we show how to adapt the recent DLIN-based instantiation of Lewko (EUROCRYPT 2012) to the SXDH assumption. To our knowledge, this is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption. Furthermore, our work could be extended to many other functional encryption. In Particular, we show how to instantiate our framework to inner product encryption and key-policy functional encryption. All parameters of our constructions are shorter than those of DLIN-based constructions.     

Tweaking a block cipher: multi-user beyond-birthday-bound security in the standard model

In this paper, we present a generic construction to create a secure tweakable block cipher from a secure block cipher. Our construction is very natural, requiring four calls to the underlying block cipher for each call of the tweakable block cipher. Moreover, it is provably secure in the standard model while keeping the security degradation minimal in the multi-user setting. In more details, if the underlying blockcipher E uses n-bit blocks and 2n-bit keys, then our construction is proven secure against multi-user adversaries using up to roughly \(2^n\) time and queries as long as E is a secure block cipher.     

Equivariant Degenerations of Spherical Modules: Part II

We determine, under a certain assumption, the Alexeev–Brion moduli scheme M of affine spherical G-varieties with a prescribed weight monoid . In Papadakis and Van Steirteghem (Ann. Inst. Fourier (Grenoble). 62(5) 1765–1809 19) we showed that if G is a connected complex reductive group of type A and is the weight monoid of a spherical G-module, then M is an affine space. Here we prove that this remains true without any restriction on the type of G.     

On the pseudorandomness of quaternary sequences derived from sequences over $$\mathbb F_4$$

In analogy to the corresponding measures of pseudorandomness for quaternary sequences introduced by Mauduit and Sárközy (for m-ary sequences) we introduce the well-distribution measure and correlation measure of order k for sequences over \(\mathbb F_4\). Using any fixed bijection from \(\mathbb F_4\) to the set of complex fourth roots of unity, we analyze the relation of these pseudorandomness measures for sequences over \(\mathbb F_4\) and for the corresponding quaternary sequences. More precisely, we show that they differ only by a multiplicative constant (depending only on k). We also apply the results for deriving new quaternary pseudorandom sequences from pseudorandom sequences over \(\mathbb F_4\) and vice versa.     

Efficient identity-based encryption with Hierarchical key-insulation from HIBE

Hierarchical key-insulated identity-based encryption (HKIBE) is identity-based encryption (IBE) that allows users to update their secret keys to achieve (hierarchical) key-exposure resilience, which is an important notion in practice. However, existing HKIBE constructions have limitations in efficiency: sizes of ciphertexts and secret keys depend on the hierarchical depth. In this paper, we first triumph over the barrier by proposing simple but effective design methodologies to construct efficient HKIBE schemes. First, we show a generic construction from any hierarchical IBE (HIBE) scheme that satisfies a special requirement, called MSK evaluatability introduced by Emura et al. (Des. Codes Cryptography 89(7):1535–1574, 2021). It provides several new and efficient instantiations since most pairing-based HIBE schemes satisfy the requirement. It is worth noting that it preserves all parameters’ sizes of the underlying HIBE scheme, and hence we obtain several efficient HKIBE schemes under the k-linear assumption in the standard model. Since MSK evaluatability is dedicated to pairing-based HIBE schemes, the first construction restricts pairing-based instantiations. To realize efficient instantiation from various assumptions, we next propose a generic construction of an HKIBE scheme from any plain HIBE scheme. It is based on Hanaoka et al.’s HKIBE scheme (Asiacrypt 2005), and does not need any special properties. Therefore, we obtain new efficient instantiations from various assumptions other than pairing-oriented ones. Though the sizes of secret keys and ciphertexts are larger than those of the first construction, it is more efficient than Hanaoka et al.’s scheme in the sense of the sizes of master public/secret keys.

     

Group homomorphic encryption: characterizations, impossibility results, and applications

We give a complete characterization both in terms of security and design of all currently existing group homomorphic encryption schemes, i.e., existing encryption schemes with a group homomorphic decryption function such as ElGamal and Paillier. To this end, we formalize and identify the basic underlying structure of all existing schemes and say that such schemes are of shift-type. Then, we construct an abstract scheme that represents all shift-type schemes (i.e., every scheme occurs as an instantiation of the abstract scheme) and prove its IND-CCA1 (resp. IND-CPA) security equivalent to the hardness of an abstract problem called Splitting Oracle-Assisted Subgroup Membership Problem (SOAP) (resp. Subgroup Membership Problem, SMP). Roughly, SOAP asks for solving an SMP instance, i.e., for deciding whether a given ciphertext is an encryption of the neutral element of the ciphertext group, while allowing access to a certain oracle beforehand. Our results allow for contributing to a variety of open problems such as the IND-CCA1 security of Paillier’s scheme, or the use of linear codes in group homomorphic encryption. Furthermore, we design a new cryptosystem which provides features that are unique up to now: Its IND-CPA security is based on the k-linear problem introduced by Shacham, and Hofheinz and Kiltz, while its IND-CCA1 security is based on a new k-problem that we prove to have the same progressive property, namely that if the k-instance is easy in the generic group model, the (k+1)-instance is still hard.     

Locally piecewise affine functions and their order structure

Piecewise affine functions on subsets of \(\mathbb R^m\) were studied in Aliprantis et al. (Macroecon Dyn 10(1):77–99, 2006), Aliprantis et al. (J Econometrics 136(2):431–456, 2007), Aliprantis and Tourky (Cones and duality, 2007), Ovchinnikov (Beitr\(\ddot{\mathrm{a}}\)ge Algebra Geom 43:297–302, 2002). In this paper we study a more general concept of a locally piecewise affine function. We characterize locally piecewise affine functions in terms of components and regions. We prove that a positive function is locally piecewise affine iff it is the supremum of a locally finite sequence of piecewise affine functions. We prove that locally piecewise affine functions are uniformly dense in \(C(\mathbb R^m)\), while piecewise affine functions are sequentially order dense in \(C(\mathbb R^m)\). This paper is partially based on Adeeb (Locally piece-wise affine functions, 2014)     

Extension sets,affine designs,and Hamada’s conjecture

We introduce the notion of an extension set for an affine plane of order q to study affine designs \({\mathcal {D}}'\) with the same parameters as, but not isomorphic to, the classical affine design \({\mathcal {D}} = \mathrm {AG}_2(3,q)\) formed by the points and planes of the affine space \(\mathrm {AG}(3,q)\) which are very close to this geometric example in the following sense: there are blocks \(B'\) and B of \({\mathcal {D}'}\) and \({\mathcal {D}}\), respectively, such that the residual structures \({\mathcal {D}}'_{B'}\) and \({\mathcal {D}}_B\) induced on the points not in \(B'\) and B, respectively, agree. Moreover, the structure \({\mathcal {D}}'(B')\) induced on \(B'\) is the q-fold multiple of an affine plane \({\mathcal {A}}'\) which is determined by an extension set for the affine plane \(B \cong AG(2,q)\). In particular, this new approach will result in a purely theoretical construction of the two known counterexamples to Hamada’s conjecture for the case \(\mathrm {AG}_2(3,4)\), which were discovered by Harada et al. [7] as the result of a computer search; a recent alternative construction, again via a computer search, is in [23]. On the other hand, we also prove that extension sets cannot possibly give any further counterexamples to Hamada’s conjecture for the case of affine designs with the parameters of some \(\mathrm {AG}_2(3,q)\); thus the two counterexamples for \(q=4\) might be truly sporadic. This seems to be the first result which establishes the validity of Hamada’s conjecture for some infinite class of affine designs of a special type. Nevertheless, affine designs which are that close to the classical geometric examples are of interest in themselves, and we provide both theoretical and computational results for some particular types of extension sets. Specifically, we obtain a theoretical construction for one of the two affine designs with the parameters of \(\mathrm {AG}_2(3,3)\) and 3-rank 11 and for an affine design with the parameters of \(\mathrm {AG}_2(3,4)\) and 2-rank 17 (in both cases, just one more than the rank of the classical example).     

Strong authenticated key exchange with auxiliary inputs

In the Russian cards problem, Alice, Bob and Cath draw a, b and c cards, respectively, from a publicly known deck. Alice and Bob must then communicate their cards to each other without Cath learning who holds a single card. Solutions in the literature provide weak security, where Alice and Bob’s exchanges do not allow Cath to know with certainty who holds each card that is not hers, or perfect security, where Cath learns no probabilistic information about who holds any given card. We propose an intermediate notion, which we call \(\varepsilon \)-strong security, where the probabilities perceived by Cath may only change by a factor of \(\varepsilon \). We then show that strategies based on affine or projective geometries yield \(\varepsilon \)-strong safety for arbitrarily small \(\varepsilon \) and appropriately chosen values of a, b, c.     

The applications of the gauge transformation for the BKP hierarchy

In this paper, we investigated four applications of the gauge transformation for the BKP hierarchy. Firstly, it is found that the orbit of the gauge transformation for the constrained BKP hierarchy defines a special (2+1)$(2+1)$-dimensional Toda lattice equation structure. Then the tau function of the BKP hierarchy generated by the gauge transformation is shown to be the Pfaffian. And the higher Fay-like identities for the BKP hierarchy is also obtained through the gauge transformation. At last, the compatibility between the additional symmetry and the gauge transformation of the BKP hierarchy is proven.     

Relative <Emphasis Type="Italic">t</Emphasis>-designs in binary Hamming association scheme <Emphasis Type="Italic">H</Emphasis>(<Emphasis Type="Italic">n</Emphasis>, 2)

A relative t-design in the binary Hamming association schemes H(n, 2) is equivalent to a weighted regular t-wise balanced design, i.e., certain combinatorial t-design which allows different sizes of blocks and a weight function on blocks. In this paper, we study relative t-designs in H(n, 2), putting emphasis on Fisher type inequalities and the existence of tight relative t-designs. We mostly consider relative t-designs on two shells. We prove that if the weight function is constant on each shell of a relative t-design on two shells then the subset in each shell must be a combinatorial \((t-1)\)-design. This is a generalization of the result of Kageyama who proved this under the stronger assumption that the weight function is constant on the whole block set. Using this, we define tight relative t-designs for odd t, and a strong restriction on the possible parameters of tight relative t-designs in H(n, 2). We obtain a new family of such tight relative t-designs, which were unnoticed before. We will give a list of feasible parameters of such relative 3-designs with \(n \le 100\), and then we discuss the existence and/or the non-existence of such tight relative 3-designs. We also discuss feasible parameters of tight relative 4-designs on two shells in H(n, 2) with \(n \le 50\). In this study we come up with the connection on the topics of classical design theory, such as symmetric 2-designs (in particular 2-\((4u-1,2u-1,u-1)\) Hadamard designs) and Driessen’s result on the non-existence of certain 3-designs. We believe Problems 1 and 2 presented in Sect. 5.2 open a new way to study relative t-designs in H(n, 2). We conclude our paper listing several open problems.     

Affine processes are regular

We show that stochastically continuous, time-homogeneous affine processes on the canonical state space ${\mathbb{R}_{\geq 0}^m \times \mathbb{R}^n}$ are always regular. In the paper of Duffie et?al. (Ann Appl Probab 13(3):984?C1053, 2003) regularity was used as a crucial basic assumption. It was left open whether this regularity condition is automatically satisfied for stochastically continuous affine processes. We now show that the regularity assumption is indeed superfluous, since regularity follows from stochastic continuity and the exponentially affine form of the characteristic function. For the proof we combine classic results on the differentiability of transformation semigroups with the method of the moving frame which has been recently found to be useful in the theory of SPDEs.     

Affine Quasi-Heredity of Affine Schur Algebras

In this paper we prove that the affine Schur algebra \(\widehat {S}(n,r)\) is affine quasi-hereditary. This result is then used to show that the centralizer subquotient algebras of \(\widehat {S}(n,r)\) are Laurent polynomial algebras. Moreover, we give a parameter set of simple \(\widehat {S}(n,r)\)-modules and identify this parameter set with that given in [7]. In the Appendix, the affine quasi-heredity of affine quantum Schur algebras is studied.     

A note on the strong authenticated key exchange with auxiliary inputs

Recently, Chen et al. proposed a framework for authenticated key exchange (AKE) protocols (referred to as CMYSG scheme) in Designs, Codes and Cryptography (available at http://link.springer.com/article/10.1007/s10623-016-0295-3). It is claimed that the proposed AKE protocol is secure in a new leakage-resilient eCK model w.r.t. auxiliary inputs (AI-LR-eCK). The main tool used for the generic construction is the smooth projective hash function (SPHF). In this note, we revisit the CMYSG scheme and point out a subtle flaw in the original security proof. Precisely, we show that the AI-LR-eCK security of the proposed construction cannot be successfully reduced to a pseudo-random SPHF and thus the CMYSG scheme is not secure as claimed. To restore the security proof, we replace the underlying typical SPHF with a 2-smooth SPHF, and show that such a replacement combined with a \(\pi \hbox {PRF}\) suffices to overcome the subtle flaw.     

Fundamental domains for properly discontinuous affine groups

We construct a fundamental region for the action on the \(2d+1\) -dimensional affine space of some free, discrete, properly discontinuous groups of affine transformations preserving a quadratic form of signature \((d+1, d)\) , where \(d\) is any odd positive integer.