International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Xianhui Lu

Affiliation: IIE, Chinese Academy of Sciences

Publications

Year
Venue
Title
2018
ASIACRYPT
Understanding and Constructing AKE via Double-Key Key Encapsulation Mechanism
Motivated by abstracting the common idea behind several implicitly authenticated key exchange (AKE) protocols, we introduce a primitive that we call double-key key encapsulation mechanism (2-key KEM). It is a special type of KEM involving two pairs of secret-public keys and satisfying some function and security property. Such 2-key KEM serves as the core building block and provides alternative approaches to simplify the constructions of AKE. To see the usefulness of 2-key KEM, we show how several existing constructions of AKE can be captured as 2-key KEM and understood in a unified framework, including widely used HMQV, NAXOS, Okamoto-AKE, and FSXY12-13 schemes. Then, we show (1) how to construct 2-key KEM from concrete assumptions, (2) how to adapt the classical Fujisaki-Okamoto transformation and KEM combiner to achieve the security requirement of 2-key KEM, (3) an elegant Kyber-AKE over lattice using the improved Fujisaki-Okamoto technique.
2015
EUROCRYPT
2014
EPRINT
2011
PKC
2010
EPRINT
Chosen Ciphertext Secure Encryption over Semi-smooth Subgroup
In this paper we propose two public key encryption schemes over the semi-smooth subgroup introduced by Groth05. Both the schemes are proved secure against chosen ciphertext attacks under the factoring assumption. Since the domain of exponents is much smaller, both our schemes are significantly more efficient than Hofheiz-Kiltz 2009 encryption.
2008
EPRINT
Improved efficiency of Kiltz07-KEM
Xianhui Lu Xuejia Lai Dake He
Kiltz proposed a practical key encapsulation mechanism(Kiltz07-KEM) which is secure against adaptive chosen ciphertext attacks(IND-CCA2) under the gap hashed Diffie-Hellman(GHDH) assumption\cite{Kiltz2007}. We show a variant of Kiltz07-KEM which is more efficient than Kiltz07-KEM in encryption. The new scheme can be proved to be IND-CCA2 secure under the same assumption, GHDH.
2008
EPRINT
Accountability of Perfect Concurrent Signature
Yunfeng Li Dake He Xianhui Lu
Concurrent signature provided a novel idea for fair exchange protocol without trusted third party. Perfect Concurrent Signature is proposed to strengthen theambiguity of the concurrent signature. Wang et al, pointed out there exist an attack against the fairness of Perfect Concurrent Signature and proposed the improved perfect concurrent signature. This paper find that in proposed (perfect) concurrent signature protocol, no matter two party or multi-party, the signer could bind multiple messages with one keystone set but let the other signers know only one of the messages. This is a new unfair case in the application of concurrent signature. Based on this observation, we propose that accountability should be one of the security properties of (perfect) concurrent signature and we give the definition of accountability of concurrent signature. To illustrate this idea, we give an attack scene against the accountability of improved perfect concurrent signature proposed by Wang et al, and propose an update version of perfect concurrent signature to avoid such attack.
2008
EPRINT
Chosen ciphertext secure public key encryption under DDH assumption with short ciphertext
Xianhui Lu Xuejia Lai Dake He
An efficient variant of the ElGamal public key encryption scheme is proposed which is provably secure against adaptive chosen ciphertext attacks(IND-CCA2) under the decisional Diffie-Hellman(DDH) assumption. Compared to the previously most efficient scheme under DDH assumption by Kurosawa and Desmedt [Crypto 2004] it has one group element shorter ciphertexts, 50\% shorter secret keys, 25\% shorter public keys and it is 28.6\% more efficient in terms of encryption speed, 33.3\% more efficient in terms of decryption speed. A new security proof logic is used, which shows directly that the decryption oracle will not help the adversary in the IND-CCA2 game. Compared to the previous security proof, the decryption simulation is not needed in the new logic. This makes the security proof simple and easy to understand.
2007
EPRINT
Efficient chosen ciphertext secure PKE scheme with short ciphertext
Kurosawa and Matsuo\cite{Kurosawa20042} showed that MAC can be removed from DHIES while the underlying symmetric-key encryption(SKE) scheme is secure against adaptive chosen ciphertext attacks(IND-CCA). We construct a variant of DHIES which eliminate the MAC while the SKE scheme is secure against passive attacks(IND-PA). Since IND-PA is the basic requirement of SKE schemes, the new scheme is more flexible than \cite{Kurosawa20042}. Our new scheme can be seen as a combination of a tag-KEM \cite{Abe2005} and a DEM. Our construction offers the first tag-KEM with single element. When the hash function $H$ in the ODH assumption is a non-malleable hash function we can prove that the new scheme is IND-CCA secure under the ODH assumption.
2007
EPRINT
A new paradigm of chosen ciphertext secure public key encryption scheme
Xianhui Lu Xuejia Lai Dake He
For all current adaptive chosen ciphertext(CCA) secure public key encryption schemes in standard model there are two operations in the decryption algorithm, ``validity check" and decryption. The decryption algorithm returns the corresponding plaintext if the ciphertext is valid otherwise it returns a rejection symbol $\perp$. We call this paradigm ``invalid ciphertext rejection". However the ``validity check" is not necessary for an encryption scheme. Also in this case the adversary will get the information that the ciphertext is "invalid" which he may not know before the decryption query. We propose a new paradigm for constructing CCA secure public key encryption schemes which combines ``validity check" and decryption together. The decryption algorithm will execute the same operation regardless of the ciphertext's validity. We call this new paradigm ``uniform decryption". Compared with the "invalid ciphertext rejection" paradigm, the decryption oracle of schemes in the new paradigm will reveal less information. The attacker even can not get whether the queried ciphertext is ``valid" or not. Moreover the combination of ``validity check" and the decryption will yield more efficient schemes. Using the new paradigm we construct an efficient public key encryption scheme. Our scheme is more efficient than CS98 in both computation and bandwidth. Compered with KD04 and HK07 the new scheme is more efficient in bandwidth and the same efficient in computation. The new scheme is as efficient as Kiltz07 both in computation and bandwidth. However the new scheme is CCA secure based on DDH assumption which is more flexible than GHDH assumption that Kiltz07 based on. Kurosawa and Desmedt proposed an efficient hybrid scheme named as KD04\cite{Kurosawa2004}. Although the key encapsulation part of KD04(KD04-KEM) is not CCA secure \cite{Hofheinz2006}, the whole scheme can be proved to be CCA secure. We show that if the key derivation function(KDF) of KD04-KEM is a non-malleable hash function it will be a CCA secure KEM in the new paradigm.
2007
EPRINT
A Short Signature Scheme in the Standard Model
In this paper, by elaborately choosing the parameters of Waters Hash function, we propose a new efficient signature scheme. It is shown that the scheme is secure against strongly unforgeable chosen-message attacks in the standard model under Computational Diffie-Hellman (CDH) assumption. Further, among all the known secure signatures in the standard model, our scheme is the shortest one and has the efficient security reduction as well.
2007
EPRINT
Weak adaptive chosen ciphertext secure hybrid encryption scheme
We propose a security notion named as weak adaptive chosen ciphertext security(IND-WCCA) for hybrid encryption schemes. Although it is weaker than adaptive chosen ciphertext security(IND-CCA), a IND-WCCA secure hybrid encryption scheme can be used in any situations that a IND-CCA secure hybrid encryption scheme used in. We show that IND-WCCA secure hybrid encryption scheme can be constructed from IND-CCA secure KEM and IND-PA secure DEM. Since IND-PA is the basic requirement of symmetric key encryption schemes, IND-WCCA hybrid encryption scheme is very flexible and can use most of the stream ciphers and block ciphers as the DEM part of the scheme. Use the new secure notion we can refine current IND-CCA secure hybrid encryption schemes and get more efficient IND-WCCA secure hybrid encryption schemes.
2007
EPRINT
On the hash function of ODH
M. Abdalla, M. Bellare and P. Rogaway proposed a variation of Diffie-Hellman assumption named as oracle Diffie-Hellman(ODH) assumption. They recommend to use a one-way cryptographic hash function for the ODH assumption. We notice that if the hash function is just one-way then there will be an attack. We show that if the the hash function is non-malleable then the computational version of ODH assumption can be reduced to the computational Diffie-Hellman(CDH) assumption. But we can not reduce the ODH assumption to the decisional Diffie-Hellman(DDH) even if the hash function is non-malleable. It seems that we need a random oracle hash function to reduce the ODH assumption to the DDH assumption.
2006
EPRINT
Revisit of KD04
KD04 proposed by K. Kurosawa and Y. Desmedt is the most efficient public key encryption scheme provably secure against adaptive chosen ciphertext attack in standard model based on decision diffie-hellman problem. We proposed a simplify version of KD04 which is more efficient than KD04 while still can be proved to be secure against adaptive chosen ciphertext attack in standard model based on decision diffie-hellman problem.
2006
EPRINT
Revisit of CS98
Cramer and Shoup proposed the first provably secure practical public-key encryption scheme in the standard model (CS98). We find new way to construct the secure reduction in which the decryption oracle is not needed yet. Thus we get a simplified version of CS98 which is more efficient than the original scheme, and also provably secure against chosen ciphertext attack in standard model.
2006
EPRINT
A New Identity Based Encryption Scheme From Pairing
Xianhui Lu Dake He Guomin Li
We construct an efficient identity based encryption scheme from pairing. The basic version of the new scheme is provably secure against chosen plaintext attack, and the full version of the new scheme is provably secure against adaptive chosen ciphertext attack. Our scheme is based on a new assumption (decision weak bilinear Diffie-Hellman assumption ) which is no stronger than decision bilinear Diffie-Hellman assumption.