Efficient Adaptively-Secure IB-KEMs and VRFs via Near-Collision Resistance

Public key authenticated encryption with keyword search (PAEKS) has been proposed, where a sender's secret key is required for encryption, and a trapdoor is associated with not only a keyword but also the sender. This setting allows us to prevent information leakage of keyword from trapdoors. Liu et al. (ASIACCS 2022) proposed a generic construction of PAEKS based on word-independent smooth projective hash functions (SPHFs) and PEKS. In this paper, we propose a new generic construction of PAEKS, which is more efficient than Liu et al.'s in the sense that we only use one SPHF, but Liu et al. used two SPHFs. In addition, for consistency we considered a security model that is stronger than Liu et al.'s. Briefly, Liu et al. considered only keywords even though a trapdoor is associated with not only a keyword but also a sender. Thus, a trapdoor associated with a sender should not work against ciphertexts generated by the secret key of another sender, even if the same keyword is associated. That is, in the previous definitions, there is room for a ciphertext to be searchable even though the sender was not specified when the trapdoor is generated, that violates the authenticity of PAKES. Our consistency definition considers a multi-sender setting and captures this case. In addition, for indistinguishability against chosen keyword attack (IND-CKA) and indistinguishability against inside keyword guessing attack (IND-IKGA), we use a stronger security model defined by Qin et al. (ProvSec 2021), where an adversary is allowed to query challenge keywords to the encryption and trapdoor oracles. We also highlight several issues associated with the Liu et al. construction in terms of hash functions, e.g., their construction does not satisfy the consistency that they claimed to hold.

Section: Feasibility Of Our Generic Constructionmentioning

confidence: 99%

Generic Construction of Public-Key Authenticated Encryption with Keyword Search Revisited

EMURA

2024

“…Niehues (JKN) IBE scheme [40] which is adaptively secure, and other levels are selectively secure by appending a part of the selectively secure ABB IBE scheme. We can employ the Asano et al HIBE schemes.…”

Section: Our Contributionmentioning

confidence: 99%

“…We can employ the Asano et al HIBE schemes. 2 By employing state-of-the-art IBE schemes for the first level, we can construct BEKS schemes whose master public keys consist of only poly-log matrices in terms of the security parameter, as in [38], [40]. We state the underlying HIBE scheme as Y+AET or JKN+AET in Table 1.…”

Section: Our Contributionmentioning

confidence: 99%

Outsider-Anonymous Broadcast Encryption with Keyword Search: Generic Construction, CCA Security, and with Sublinear Ciphertexts

EMURA,

KAJITA,

OHTAKE

2024

As a multi-receiver variant of public key encryption with keyword search (PEKS), broadcast encryption with keyword search (BEKS) has been proposed (Attrapadung et al. at ASIACRYPT 2006/Chatterjee-Mukherjee at INDOCRYPT 2018. Unlike broadcast encryption, no receiver anonymity is considered because the test algorithm takes a set of receivers as input and thus a set of receivers needs to be contained in a ciphertext. In this paper, we propose a generic construction of BEKS from anonymous and weakly robust 3-level hierarchical identity-based encryption (HIBE). The proposed generic construction provides outsider anonymity, where an adversary is allowed to obtain secret keys of outsiders who do not belong to the challenge sets, and provides sublinear-size ciphertext in terms of the number of receivers. Moreover, the proposed construction considers security against chosen-ciphertext attack (CCA) where an adversary is allowed to access a test oracle in the searchable encryption context. The proposed generic construction can be seen as an extension to the Fazio-Perera generic construction of anonymous broadcast encryption (PKC 2012) from anonymous and weakly robust identity-based encryption (IBE) and the Boneh et al. generic construction of PEKS (EUROCRYPT 2004) from anonymous IBE. We run the Fazio-Perera construction employs on the first-level identity and run the Boneh et al. generic construction on the second-level identity, i.e., a keyword is regarded as a second-level identity. The third-level identity is used for providing CCA security by employing one-time signatures. We also introduce weak robustness in the HIBE setting, and demonstrate that the Abdalla et al. generic transformation (TCC 2010/JoC 2018) for providing weak robustness to IBE works for HIBE with an appropriate parameter setting. We also explicitly introduce attractive concrete instantiations of the proposed generic construction from pairings and lattices, respectively.

“…Thanks to the semi-generic construction, we propose the first purely adaptive and CCA-secure lattice-based IBEET schemes. Moreover, since ABB-type IBE covers Yamada's IBE scheme [17], Katsumata's IBE scheme [18], [19], and JKN IBE scheme [20], we can obtain the first adaptive lattice-based IBEET schemes whose public keys consist of poly-log matrices. We note that the size of secret keys and ciphertexts are asymptotically the same among all known IBEET schemes and our schemes.…”

Section: Our Contributionmentioning

confidence: 99%

“…Moreover, known adaptively secure IBEET schemes have a common bottleneck in terms of efficiency. Although there are adaptively secure lattice-based IBE schemes such as Yamada's IBE scheme [17], Katsumata's IBE scheme [18], [19], and Jager-Kurek-Niehues's (JKN) IBE scheme [20] † whose public keys consist of poly-log matrices, public keys of known adaptively secure lattice-based IBEET schemes [11]- [14] consist of matrices whose numbers are (almost) linear in the length of identities or the security parameter. Therefore, it is desirable to construct adaptively secure lattice-based IBEET schemes whose public keys consist of poly-log matrices.…”

Section: Introductionmentioning

confidence: 99%

More Efficient Adaptively Secure Lattice-Based IBE with Equality Test in the Standard Model

ASANO,

EMURA,

TAKAYASU

2024

Identity-based encryption with equality test (IBEET) is a variant of identity-based encryption (IBE), in which any user with trapdoors can check whether two ciphertexts are encryption of the same plaintext. Although several lattice-based IBEET schemes have been proposed, they have drawbacks in either security or efficiency. Specifically, most IBEET schemes only satisfy selective security, while public keys of adaptively secure schemes in the standard model consist of matrices whose numbers are linear in the security parameter. In other words, known lattice-based IBEET schemes perform poorly compared to the state-of-the-art lattice-based IBE schemes (without equality test). In this paper, we propose a semi-generic construction of CCA-secure lattice-based IBEET from a certain class of lattice-based IBE schemes. As a result, we obtain the first lattice-based IBEET schemes with adaptive security and CCA security in the standard model without sacrificing efficiency. This is because, our semi-generic construction can use several state-of-the-art lattice-based IBE schemes as underlying schemes, e.g. Yamada's IBE scheme (CRYPTO'17).