Information Security Practice and Experience 

Abstract: A ring signature scheme can be viewed as a group signature scheme with no anonymity revocation and with simple group setup. A linkable ring signature (LRS) scheme additionally allows anyone to determine if two ring signatures have been signed by the same group member. Recently, Dodis et al. [18] gave a short (constant-sized) ring signature scheme. We extend it to the first short LRS scheme, and reduce its security to a new hardness assumption, the Link Decisional RSA (LD-RSA) Assumption. We also extend [18]'s other schemes to a generic LRS scheme and a generic linkable group signature scheme. We discuss three applications of our schemes. Kiayias and Yung [22] constructed the first e-voting scheme which simultaneously achieves efficient tallying, public verifiability, and write-in capability for a typical voter distribution under which only a small portion writes in. We construct an e-voting scheme based on our short LRS scheme which achieves the same even for all worst-case voter distribution. Direct Anonymous Attestation (DAA) [6] is essentially a ring signature scheme with certain linking properties that can be naturally implemented using LRS schemes. The construction of an offline anonymous e-cash scheme using LRS schemes is also discussed.

Abstract: In ciphertext-policy attributed-based encryption (CP-ABE), each ciphertext is labeled by the encryptor with an access structure (also called ciphertext policy) and each private key is associated with a set of attributes. A user should be able to decrypt a ciphertext if and only if his private key attributes satisfy the access structure. The traditional security property of CP-ABE is plaintext privacy, which ciphertexts reveal no information about the underlying plaintext. At ACNS'08, Nishide, Yoneyama and Ohta introduced the notion of ciphertext-policy hiding CP-ABE. In addition to protecting the privacy of plaintexts, ciphertext-policy hiding CP-ABE also protects the description of the access structures associated with ciphertexts. They observed that ciphertext-policy hiding CP-ABE can be constructed from attribute-hiding inner-product predicate encryption (PE), and presented two constructions of ciphertext-policy hiding CP-ABE supporting restricted access structures, which can be expressed as AND gates on multi-valued attributes with wildcards. However, their schemes were only proven selectively secure. In this paper, we first describe the construction of ciphertext-policy hiding CP-ABE from attribute-hiding inner-product PE formally. Then, we propose a concrete construction of ciphertext-policy hiding CP-ABE supporting the same access structure as that of Nishide, Yoneyama and Ohta, but our scheme is proven fully secure.

Abstract: With a Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme, a user's private key is associated with a set of attributes and the data is encrypted under an access policy defined by the message sender. A user can decrypt a ciphertext if and only if her attributes satisfy the access policy. In CP-ABE, since the message sender enforces the access policy during the encryption phase, the policy moves with the encrypted data. In this paper, we provide an efficient CP-ABE scheme which can express any access policy represented by a formula involving the and (***) and or (***) operators. The scheme is secure under Decision Bilinear Diffie-Hellman (DBDH) assumption. Furthermore, we extend the expressiveness of the scheme by including the of operator in addition to *** and ***. We provide a comparison with some existing CP-ABE schemes and show that our schemes are more efficient.

Abstract: An Attribute-Based Encryption (ABE) is an encryption scheme, where users with some attributes can decrypt ciphertexts associated with these attributes. However, the length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. Moreover, the number of pairing computations is also constant.