著者
SeongHan SHIN Shota YAMADA Goichiro HANAOKA Yusuke ISHIDA Atsushi KUNII Junichi OKETANI Shimpei KUNII Kiyoshi TOMOMURA
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences (ISSN:09168508)
巻号頁・発行日
vol.E105-A, no.8, pp.1121-1133, 2022-08-01
被引用文献数
1

AONT (All-or-Nothing Transform) is a kind of (n, n)-threshold secret sharing scheme that distributes a message m into a set of n shares such that the message m can be reconstructed if and only if n shares are collected. At CRYPTO 2000, Desai proposed a simple and faster AONT based on the CTR mode of encryption (called CTRT) and proved its security in the ideal cipher model. Though AES-128, whose key length k = 128 and block length l = 128, can be used in CTRT as a block cipher, AES-256 and AES-192 cannot be used due to its intrinsic restriction of k ≤ l. In this paper, we propose an extended CTRT (for short, XCTRT) suitable for AES-256. By thoroughly evaluating all the tricky cases, we prove that XCTRT is secure in the ideal cipher model under the same CTRT security definition. Also, we discuss the security result of XCTRT in concrete parameter settings. For more flexibility of key length, we propose a variant of XCTRT dealing with l<k ≤ 2l by slightly modifying the construction of the last block. After showing implementation details and performance evaluation of CTRT, XCTRT, and the variant, we can say that our XCTRT and its variant have high-speed encoding and decoding performance and are quite practical enough to be deployed in real-world applications.
著者
Yusuke SAKAI Keita EMURA Goichiro HANAOKA Yutaka KAWAI Kazumasa OMOTE
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences (ISSN:09168508)
巻号頁・発行日
vol.E96.A, no.6, pp.1156-1168, 2013-06-01 (Released:2013-06-01)
参考文献数
27
被引用文献数
3 4

This paper proposes methods for “restricting the message space” of public-key encryption, by allowing a third party to verify whether a given ciphertext does not encrypt some message which is previously specified as a “bad” (or “problematic”) message. Public-key encryption schemes are normally designed not to leak even partial information of encrypted plaintexts, but it would be problematic in some circumstances. This higher level of confidentiality could be abused, as some malicious parties could communicate with each other, or could talk about some illegal topics, using an ordinary public key encryption scheme with help of the public-key infrastructure. It would be undesirable considering the public nature of PKI. The primitive of restrictive public key encryption will help this situation, by allowing a trusted authority to specify a set of “bad” plaintexts, and allowing every third party to detect ciphertexts that encrypts some of the specified “bad” plaintext. The primitive also provides strong confidentiality (of indistinguishability type) of the plaintext when it is not specified as “bad.” In this way, a third party (possible a gateway node of the network) can examine a ciphertext (which comes from the network) includes an allowable content or not, and only when the ciphertext does not contain forbidden message, the gateway transfers the ciphertext to a next node. In this paper, we formalize the above requirements and provide two constructions that satisfied the formalization. The first construction is based on the techniques of Teranishi et al. (IEICE Trans. Fundamentals E92-A, 2009), Boudot (EUROCRYPT 2000), and Nakanishi et al. (IEICE Trans. Fundamentals E93-A, 2010), which are developed in the context of (revocation of) group signature. The other construction is based on the OR-proof technique. The first construction has better performance when very few messages are specified as bad, while the other does when almost all of messages are specified as bad (and only very few messages are allowed to encrypt).
著者
Ai ISHIDA Keita EMURA Goichiro HANAOKA Yusuke SAKAI Keisuke TANAKA
出版者
The Institute of Electronics, Information and Communication Engineers
雑誌
IEICE TRANSACTIONS on Fundamentals of Electronics, Communications and Computer Sciences (ISSN:09168508)
巻号頁・発行日
vol.E98-A, no.12, pp.2446-2455, 2015-12-01

The primitive called public key encryption with non-interactive opening (PKENO) is a class of public key encryption (PKE) with additional functionality. By using this, a receiver of a ciphertext can prove that the ciphertext is an encryption of a specified message in a publicly verifiable manner. In some situation that a receiver needs to claim that a ciphertext is NOT decrypted to a specified message, if he/she proves the fact by using PKENO straightforwardly, the real message of the ciphertext is revealed and a verifier checks that it is different from the specified message about which the receiver wants to prove. However, this naive solution is problematic in terms of privacy. Inspired by this problem, we propose the notion of disavowable public key encryption with non-interactive opening (disavowable PKENO) where, with respect to a ciphertext and a message, the receiver of the ciphertext can issue a proof that the plaintext of the ciphertext is NOT the message. Also, we give a concrete construction. Specifically, a disavowal proof in our scheme consists of 61 group elements. The proposed disavowable PKENO scheme is provably secure in the standard model under the decisional linear assumption and strong unforgeability of the underlying one-time signature scheme.