About
62
Publications
3,123
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
229
Citations
Publications
Publications (62)
Fully Homomorphic Encryption (FHE) allows for data processing while it remains encrypted, enabling privacy-preserving outsourced computation. However, FHE faces challenges in real-world applications, such as communication overhead and storage limitations, due to the large size of its evaluation key.
This paper revisits existing key switching algori...
Functional bootstrapping (FBS) is a powerful technique that evaluates a look-up table (LUT) while refreshing an LWE ciphertext in FHEW and TFHE schemes. However, the LUT evaluation over the message space is constrained by negacyclicity, which affects the practical application of functional bootstrapping. Existing methods require multiple FBS and so...
Homomorphic evaluation of hash functions offers a solution to the challenge of data integrity authentication in the context of homomorphic encryption. The earliest attempt to achieve homomorphic evaluation of SHA-256 hash function was proposed by Mella et al. [15] based on the BGV scheme. Unfortunately, their implementation faced significant limita...
The Blum–Kalai–Wasserman (BKW) algorithm is an important combinatorial algorithm for solving the Learning With Errors (LWE) problem. In this paper, we focus on the LWE problem with small secrets and present an improved BKW algorithm. BKW algorithm has two phases, the reduction phase and the solving phase and our new algorithm uses new techniques to...
Gentry et al. [26] first presented a homomorphic evaluation of the AES-128 based on the BGV scheme, however, it suffered from high evaluation latency. Despite considerable efforts have been directed towards designing FHE-friendly symmetric encryption algorithms, the efficient homomorphic evaluation of the well-studied and standardized AES remains a...
The Learning With Errors (LWE) problem is widely used in lattice-based cryptography, which is the most promising post-quantum cryptography direction. There are a variety of LWE-solving methods, which can be classified into four groups: lattice methods, algebraic methods, combinatorial methods, and exhaustive searching. The Blum–Kalai–Wasserman (BKW...
In this paper, we study the hybrid dual attack over learning with errors (LWE) problems for any secret distribution. Prior to our work, hybrid attacks are only considered for sparse and/or small secrets. A new and interesting result from our analysis shows that for most cryptographic use cases a hybrid dual attack outperforms a standalone dual atta...
The Learning with Errors (LWE) problem is one of the most prominent problems in lattice-based cryptography. Many practical LWE-based schemes, including Fully Homomorphic encryption (FHE), use sparse ternary secret for the sake of efficiency. Several (hybrid) attacks have been proposed that benefit from such sparseness, thus researchers believe the...
A lattice attack on the Elliptic Curve Digital Signature Algorithm (ECDSA) implementation constructs a lattice related to the secret key by utilizing the information leaked and then recovers the secret key by finding a certain short lattice vector. When the information leaked is discrete bits, Fan et al. (CCS 2016) constructed an efficient lattice...
The dual attack is widely used in the concrete security estimation of the learning with errors (LWE) problem. Predicting the concrete security of LWE against the dual attack, i.e., the minimal cost of the dual attack, is a constrained optimization problem. However, there is no complete theoretical analysis. We fill in this gap by proving that, for...
We present a secure backpropagation neural network training model (SecureBP), which allows a neural network to be trained while retaining the confidentiality of the training data, based on the homomorphic encryption scheme. We make two contributions. The first one is to introduce a method to find a more accurate and numerically stable polynomial ap...
There only exists one deterministic identity-based encryption (DIBE) scheme which is adaptively secure in the auxiliary-input setting, under the learning with errors (LWE) assumption. However, the master public key consists of O(λ) basic matrices. In this paper, we consider to construct adaptively secure DIBE schemes with more compact public parame...
Dual receiver encryption (DRE), proposed by Diament et al. at ACM CCS 2004, is a special extension notion of public-key encryption, which enables two independent receivers to decrypt a ciphertext into a same plaintext. This primitive is quite useful in designing combined public key cryptosystems and denial of service attack-resilient protocols. Up...
There are several frameworks for password-based authenticated key exchange (PAKE) protocols with common reference string following the work of Katz, Ostrovsky and Yung (Eurocrypt’01), and it seems that the IND-CCA secure encryption is inevitable when constructing PAKE in standard model.
Data confidentiality and availability are of primary concern in data storage. Dispersal storage schemes achieve these two security properties by transforming the data into multiple codewords and dispersing them across multiple storage servers. Existing schemes achieve confidentiality and availability by various cryptographic and coding algorithms,...
The existing LWE-based dual-mode scheme could not fit the framework of dual-mode cryptosystem very well. In this paper, we give two solutions of constructing “full-fledged” dual-mode cryptosystems based on LWE. In our first construction, we give a modified “dual version” of Peikert et al.’s (Crypto’08) construction, in which the simulated public ke...
Based on the learning with errors (LWE) problem, we construct an identity-based encryption (IBE) scheme in the standard-model which is secure against the key dependent message (KDM) attacks and the selective opening (SO) attacks. KDM security, which requires that the scheme can still obtain secrecy even if the messages depend on the secret key, is...
Leakage-resilient cryptography requires that a crypto-system remain provably secure even if the attacker gets additional information about the internal states, which is usually the secret key in the scenario of public key encryption. In this paper, we propose a solution to achieve leakage resilience CCA for key encapsulation mechanisms firstly base...
In this paper we study public key encryption schemes of indistinguishability security against receiver selective opening (IND-RSO) attacks, where the attacker can corrupt some receivers and get the corresponding secret keys in the multi-party setting. Concretely:
We present a general construction of RSO security against chosen ciphertext attacks (R...
We introduce a new notion, lossy key encapsulation mechanism (lossy KEM), which enhances the notion of key encapsulation mechanism with lossiness, and can be more efficient than lossy trapdoor functions. We show that lossy KEM can be constructed from lossy trapdoor functions, lossy trapdoor relations, and entropic projective hashing. Using lossy KE...
We introduce the notion of approximate-deterministic public key encryption (A-DPKE), which extends the notion of deterministic public key encryption (DPKE) by allowing the encryption algorithm to be “slightly” randomized. However, a ciphertext convergence property is required for A-DPKE such that the ciphertexts of a message are gathering in a smal...
In this paper we study public key encryptions secure against RSO (receiver selective opening) attacks. To do so, we exploit the puncturable property of several existing CCA secure schemes that employs the “all-but-one” technique, use an indistinguishability obfuscator to wrap up the decryption circuit and set the obfuscated circuit as the secret ke...
In this paper, we propose a hierarchical identity-based encryption (HIBE) scheme in the random oracle (RO) model based on the learning with rounding (LWR) problem over small modulus $q$. Compared with the previous HIBE schemes based on the learning with errors (LWE) problem, the ciphertext expansion ratio of our scheme can be decreased to 1/2. Then...
We present a CCA secure PKE based on the problem of the LWE with uniform errors. We use one of the instantiations of parameters of LWE with uniform errors suggested by Micciancio and Peikert (CRYPTO 2013). Since the uniform errors do not bear the Fourier-properities as the Gaussian errors, the statistical techniques and tools used by Micciancio and...
In this paper, we introduce a primitive called lossy projective hashing. It is unknown before whether smooth projective hashing (Cramer-Shoup, Eurocrypt’02) can be constructed from dual projective hashing (Wee, Eurocrypt’12). The lossy projective hashing builds a bridge between dual projective hashing and smooth projective hashing. We give instanti...
We extend the notion of lossy encryption to the scenario of identity-based encryption (IBE), and propose a new primitive called identity-based lossy encryption (IBLE). Similar as the case of lossy encryption, we show that IBLE can also achieve selective opening security. Finally, we present a construction of IBLE from the assumption of learning wit...
We propose an efficient public key encryption scheme which is key-dependent message secure against chosen ciphertext attacks (KDM-CCA) with respect to affine functions based on the decisional composite residuosity assumption. Technically, we achieve KDM-CCA security by enhancing a chosen ciphertext secure scheme based on the high entropy hash proof...
In this paper we show that RSA-OAEP is secure against related key attacks (RKA) in the random oracle model under the strong RSA (sRSA) assumption. The key related functions can be affine functions. Compared to the chosen ciphertext security proof of OAEP, we overcome two major obstacles: answering the decryption queries under related keys; and prev...
We prove that, for a KEM/Tag-DEM (Key Encapsulation Mechanism/ Tag Data Encapsulation Mechanism) hybrid encryption scheme, if the adaptive chosen ciphertext secure KEM part has the properties of key malleability and key fingerprint and the Tag-DEM part is a one-time secure tag authenticated encryption, then the hybrid encryption is seucure against...
Peikert and Waters proposed the notion of lossy trapdoor function in STOC 2008. In this paper, we propose a relaxation of lossy trapdoor function, called lossy trapdoor relation. Unlike the lossy trapdoor function, lossy trapdoor relation does not require completely recovering the input but a public computable injective map of it. Interestingly, th...
In this paper we propose a framework for constructing public key encryption against related key attacks from hash proof systems in the standard model. Compared with the construction of Wee (PKC2012), our framework avoids the use of one-time signatures. We show that the schemes presented by Jia et al. (ProvSec2013) could fit into our framework. And...
We propose a generic construction of lossy trapdoor function from the subgroup membership assumption. We present three concrete constructions based on the k-DCR assumption over \(\mathbb{Z}^*_{N^2}\), the extended p-subgroup assumption over \(\mathbb{Z}^*_{N^2}\), and the decisional RSA subgroup membership assumption over \(\mathbb{Z}^*_{N}\). Our...
In this paper, we prove the security against related key attacks of two public key encryption schemes in the standard model. The first scheme is a variation of the scheme (KYPS09) presented by Kiltz, Pietrzak et al. in Eurocrypt 2009. While KYPS09 has been proved CCA secure under the DDH assumption, we show that it is not secure against related key...
To improve the decapsulation efficiency of HK09 (proposed by Hofheinz and Kiltz in Eurocrypt 2009), we propose a new skill to remove the exponent GCD operation. In the proposed scheme, the decapsulation efficiency is improved by 38.9% (instantiated over the semi-smooth subgroup) and the efficiency of encapsulation is dropped by 5.7%.
We propose a new variant of HK09 (proposed by D. Hofheinz and E. Kiltz [ Advances in cryptology – EUROCRYPT 2009. 28th annual international conference on the theory and applications of cryptographic techniques. Lect. Notes Comput. Sci. 5479, 313–332 (2009; Zbl 1239.94052)] [J. Cryptology 26, No. 1, 102–118 (2013; Zbl 1291.94097)]) which improves th...
We propose a new variant of HK09 (proposed by Hofheinz and Kiltz in Eurocrypt2009) which simplifies the decapsulation. Our result is a tradeoff between the efficiency of encapsulation and decapsulation. Compared with original HK09 the efficiency of decapsulation is improved by 38.9% and the efficiency of encapsulation is dropped by 11.4%.
Key-dependent message (KDM) security means that the encryption scheme remains secure even encrypting f(sk), where f is an efficient computable function chosen by the adversary and sk = sk
1, ⋯ , sk
n
are private keys. We concentrate on a special case that the function f is a division function. Namely, the messages of the form sk
i
/sk
j
are encrypt...
In this paper we construct an efficient CCA-secure key encapsulation scheme in the standard model. The new scheme is based
on the computational Diffie-Hellman assumption and the twinning technique, which has been widely discussed in recent years.
Compared with previous schemes of the same kind, the new scheme is more generic, and offers a simple ap...
The notion of encryption simulatability was proposed by Dent to help proving plaintext awareness, and it was claimed that
a hybrid encryption scheme composed of a simulatable KEM and a simulatable DEM is simulatable. Here we prove the simulatability
of IND-CCA2 secure probabilistic symmetric encryption scheme with every string in its ciphertext spa...
In Eurocrypt 2009, Hofheinz and Kiltz proposed a practical chosen ciphertext (CCA) secure public key encryption under factoring
assumption based on Rabin trapdoor one-way permutation.
We show that when the modulus is special such that ZN*Z_N^* has semi-smooth order, the instantiation of Hofheinz-Kiltz 09 scheme (HK09) over a much smaller subgroup...
We give several examples to show that PA1 and IND-CCA2 together do not guarantee PA2 in the absence of random oracles, for
both statistical and computational PA. In the statistical case, we use the Desmedt-Phan hybrid encryption scheme as the first
example. If the DEM of the Desmedt-Phan hybrid encryption is an IND-CCA2 symmetric encryption without...
Kiltz proposed a practical key encapsulation mechanism (Kiltz07-KEM) which is secure against adaptive chosen ciphertext attacks (IND-CCA2) under the gap hashed Diffie-Hellman (GHDH) assumption [Eike Kiltz, Chosen-ciphertext secure key encapsulation based on hashed gap decisional Diffie-Hellman, in: Proceedings of the 10th International Workshop on...
Concurrent signature provided a novel idea for fair exchange protocol without trusted third party. Perfect Concurrent Signature is proposed to strengthen the ambiguity of the concurrent signature. Wang et al, pointed out there exist an attack against the fairness of Perfect Concurrent Signature and proposed the improved perfect concurrent signature...
An ecient variant of the ElGamal public key encryption scheme is proposed which is provably secure against adaptive chosen ciphertext attacks(IND-CCA2) under the decisional Die- Hellman(DDH) assumption. Compared to the previously most ecient scheme under DDH assumption by Kurosawa and Desmedt (Crypto 2004) it has one group element shorter ciphertex...
A novel constant-round authenticated group key agreement (AGKA) protocol was proposed to overcome the weakness of the existing common AGKA protocols. The proposed protocol combines the dual exponential challenge-response (DCR) signature and BD structure. It can resist the leakage of ephemeral secret DH exponent attack while retaining the security o...
Password-authenticated key exchange (PAKE) allows the participants to share a session key using a human- memorable password only. In this paper, A provably- secure password-based authenticated tripartite key exchange protocol(3-PAKE) is presented in the standard model. The security of the protocol is reduced to the Decisional Bilinear Diffie-Hellma...
We propose a security notion named as weak adaptive chosen ciphertext security(IND- WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND- CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secu...
Kurosawa and Desmedt proposed an ecient hybrid encryption scheme(KD04) which is secure against adaptive chosen ciphertext attacks(IND-CCA) although the underlying KEM(key encap- sulation mechanism) is not IND-CCA secure(11). We show a variant of KD04 which is IND-CCA secure when the the underlying DEM part is IND-CCA secure. We need a DEM built fro...
Kurosawa and Matsuo(1) showed that MAC can be removed from DHIES while the underly- ing symmetric-key encryption(SKE) scheme is secure against adaptive chosen ciphertext attacks(IND- CCA). We construct a variant of DHIES which eliminate the MAC while the SKE scheme is secure against passive attacks(IND-PA). Since IND-PA is the basic requirement of...
For all current adaptive chosen ciphertext(CCA) secure public key encryption schemes in standard model there are two operations in the decryption algorithm, "validity check" and decryption. The decryption algorithm returns the corresponding plaintext if the ciphertext is valid otherwise it returns a rejection symbol ?. We call this paradigm "invali...
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Die-Hellman assumption named as oracle Die-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable...
We construct an ecient identity based encryption scheme from pairing. The basic version of the new scheme is provably secure against chosen plaintext attack, and the full version of the new scheme is prov- ably secure against adaptive chosen ciphertext attack. Our scheme is based on a new assumption (decision weak bilinear Die-Hellman as- sumption...
We revisit the chosen ciphertext secure public key encryption schemes in standard model including Cramer-Shoup's scheme(CS98) and Kurosawa- Desmedt's scheme(KD04). We get the simplified version of CS98 and KD04. The simplified schemes are more ecient than the original schemes, and also provable secure against chosen ciphertext attack in standard mo...