CryptoDB
Sayantan Mukherjee
Publications
Year
Venue
Title
2024
PKC
Threshold Structure Preserving Signatures: Strong and Adaptive Security under Standard Assumptions
Abstract
Structure-preserving signatures (SPS) have emerged as an important cryptographic building block, as their compatibility with the Groth-Sahai (GS) NIZK framework allows to construct protocols under standard assumptions with reasonable efficiency.
Over the last years there has been a significant interest in the design of threshold signature schemes. However, only very recently Crites et al. (ASIACRYPT 2023) have introduced threshold SPS (TSPS) along with a fully non-interactive construction. While this is an important step, their work comes with several limitations. With respect to the construction, they require the use of random oracles, interactive complexity assumptions and are restricted to so called indexed Diffie-Hellman message spaces. Latter limits the use of their construction as a drop-in replacement for SPS. When it comes to security, they only support static corruptions and do not allow partial signature queries for the forgery.
In this paper, we ask whether it is possible to construct TSPS without such restrictions. We start from an SPS from Kiltz, Pan and Wee (CRYPTO 2015) which has an interesting structure, but thresholdizing it requires some modifications. Interestingly, we can prove it secure in the strongest model (TS-UF-1) for fully non-interactive threshold signatures (Bellare et al., CRYPTO 2022) and even under fully adaptive corruptions. Surprisingly, we can show the latter under a standard assumption without requiring any idealized model. All known constructions of efficient threshold signatures in the discrete logarithm setting require interactive assumptions and idealized models.
Concretely, our scheme in type III bilinear groups under the SXDH assumption has signatures consisting of 7 group elements. Compared to the TSPS from Crites et al. (2 group elements), this comes at the cost of efficiency. However, our scheme is secure under standard assumptions, achieves strong and adaptive security guarantees and supports general message spaces, i.e., represents a drop-in replacement for many SPS applications. Given these features, the increase in the size of the signature seems acceptable even for practical applications.
2024
CIC
Reinventing BrED: A Practical Construction
Abstract
<p> Broadcast Encryption (BE) allows a sender to send an encrypted message to multiple receivers. In a typical broadcast encryption scenario, the broadcaster decides the set of users who can decrypt a particular ciphertext (denoted as the privileged set). Gritti et al. (IJIS'16) introduced a new primitive called Broadcast Encryption with Dealership (BrED), where the dealer decides the privileged set. A BrED scheme allows a dealer to buy content from the broadcaster and sell it to users. It provides better flexibility in managing a large user base. To date, quite a few different constructions of BrED schemes have been proposed by the research community.</p><p> We find that all existing BrED schemes are insecure under the existing security definitions. We demonstrate a concrete attack on all the existing schemes in the purview of the existing security definition. We also find that the security definitions proposed in the state-of-the-art BrED schemes do not capture the real world. We argue about the inadequacy of existing definitions and propose a new security definition that models the real world more closely. Finally, we propose a new BrED construction and prove it to be secure in our newly proposed security model. </p>
2023
JOFC
Unbounded Predicate Inner Product Functional Encryption from Pairings
Abstract
Predicate inner product functional encryption (P-IPFE) is essentially attribute-based IPFE (AB-IPFE) which additionally hides attributes associated to ciphertexts. In a P-IPFE, a message $${\textbf {x}}$$ x is encrypted under an attribute $${\textbf {w}}$$ w and a secret key is generated for a pair $$({\textbf {y}}, {\textbf {v}})$$ ( y , v ) such that recovery of $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ requires the vectors $${\textbf {w}}, {\textbf {v}}$$ w , v to satisfy a linear relation. We call a P-IPFE unbounded if it can encrypt unbounded length attributes and message vectors. $$\bullet $$ ∙ zero predicate IPFE . We construct the first unbounded zero predicate IPFE (UZP-IPFE) which recovers $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ if $$\langle {{\textbf {w}}}, {{\textbf {v}}}\rangle =0$$ ⟨ w , v ⟩ = 0 . This construction is inspired by the unbounded IPFE of Tomida and Takashima (ASIACRYPT 2018) and the unbounded zero inner product encryption of Okamoto and Takashima (ASIACRYPT 2012). The UZP-IPFE stands secure against general attackers capable of decrypting the challenge ciphertext. Concretely, it provides full attribute-hiding security in the indistinguishability-based semi-adaptive model under the standard symmetric external Diffie–Hellman assumption. $$\bullet $$ ∙ non-zero predicate IPFE . We present the first unbounded non-zero predicate IPFE (UNP-IPFE) that successfully recovers $$\langle {{\textbf {x}}}, {{\textbf {y}}}\rangle $$ ⟨ x , y ⟩ if $$\langle {{\textbf {w}}}, {{\textbf {v}}}\rangle \ne 0$$ ⟨ w , v ⟩ ≠ 0 . We generically transform an unbounded quadratic FE (UQFE) scheme to weak attribute-hiding UNP-IPFE in both public and secret key setting. Interestingly, our secret key simulation secure UNP-IPFE has succinct secret keys and is constructed from a novel succinct UQFE that we build in the random oracle model. We leave the problem of constructing a succinct public key UNP-IPFE or UQFE in the standard model as an important open problem.
Coauthors
- Uddipana Dowerah (1)
- Subhranil Dutta (1)
- Avishek Majumder (1)
- Aikaterini Mitrokotsa (2)
- Sayantan Mukherjee (3)
- Tapas Pal (1)
- Mahdi Sedaghat (1)
- Daniel Slamanig (1)
- Jenit Tomy (1)