*15:17* [Pub][ePrint]
Automating Fast and Secure Translations from Type-I to Type-III Pairing Schemes, by Joseph A. Akinyele and Christina Garman and Susan Hohenberger
Pairing-based cryptography has exploded over the last decade, as this algebraic setting offers good functionality and efficiency. However, there is a huge security gap between how schemes are usually analyzed in the academic literature and how they are typically implemented. The issue at play is that there exist multiple types of pairings: Type-I called \"symmetric\" is typically how schemes are presented and proven secure in the literature, because it is simpler and the complexity assumptions can be weaker; however, Type-III called \"asymmetric\" is typically the most efficient choice for an implementation in terms of bandwidth and computation time.There are two main complexities when moving from one pairing type to another. First, the change in algebraic setting invalidates the original security proof. Second, there are usually multiple (possibly thousands) of ways to translate from a Type-I to a Type-III scheme, and the \"best\" translation may depend on the application.

Our contribution is the design, development and evaluation of a new software tool, AutoGroup+, that automatically translates from Type-I to Type-III pairings. The output of AutoGroup+ is: (1) \"secure\" provided the input is \"secure\" and (2) optimal based on the user\'s efficiency constraints (excluding software and run-time errors). Prior automation work for pairings was either not guaranteed to be secure or only partially automated and impractically slow. This work addresses the pairing security gap by realizing a fast and secure translation tool.

*15:17* [Pub][ePrint]
Fully Secure Unbounded Revocable Attribute-Based Encryption in Prime Order Bilinear Groups via Subset Difference Method, by Pratish Datta and Ratna Dutta and Sourav Mukhopadhyay
Providing an efficient revocation mechanism for attribute-based encryption (ABE) is ofutmost importance since over time an user\'s credentials may be revealed or expired. All previously

known revocable ABE (RABE) constructions (a) essentially utilize the complete subtree (CS) scheme

for revocation purpose, (b) are bounded in the sense that the size of the public parameters depends

linearly on the size of the attribute universe and logarithmically on the number of users in the

system, and (c) are either selectively secure, which seems unrealistic in a dynamic system such as

RABE, or fully secure but built in a composite order bilinear group setting, which is undesirable from

the point of view of both efficiency and security. This paper presents the first fully secure unbounded

RABE using subset difference (SD) mechanism for revocation which greatly improves the broadcast

efficiency compared to the CS scheme. Our RABE scheme is built on a prime order bilinear group

setting resulting in practical computation cost, and its security depends on the Decisional Linear

assumption.

*15:17* [Pub][ePrint]
Security Analysis of Re-Encryption RPC Mix Nets, by Ralf Kuesters and Tomasz Truderung
Re-Encryption randomized partial checking (RPC) mix nets were introduced by Jakobsson, Juels, and Rivest in 2002 and since then have been employed in prominent modern e-voting systems and in politically binding elections in order to provide verifiable elections in a simple and efficient way. Being one of or even the most used mix nets in practice so far, these mix nets are an interesting and valuable target for rigorous security analysis.In this paper, we carry out the first formal cryptographic analysis of re-encryption RPC mix nets. We show that these mix nets, with fixes recently proposed by Khazaei and Wikstr{\\\"o}m, provide a good level of verifiability, and more precisely, accountability: cheating mix servers, who try to manipulate the election outcome, are caught with high probability. Moreover, we show that all attacks that would break the privacy of voters\' inputs are caught with a probability of at least $1/4$. In many cases, for example, when penalties are severe or reputation can be lost, adversaries might not be willing to take this risk, and hence, would behave in a way that avoids this risk. Now, for such a class of ``risk-avoiding\'\' adversaries, we show that re-encryption RPC mix nets provide a good level of privacy, even if only one mix server is honest.

*15:17* [Pub][ePrint]
Identity-Based Encryption Secure Against Selective Opening Chosen-Ciphertext Attack, by Junzuo Lai and Robert H. Deng and Shengli Liu and Jian Weng and Yunlei Zhao
Security against selective opening attack (SOA) requires that in a multi-user setting, even if an adversary has access to all ciphertexts from users, and adaptively corrupts some fraction of the users by exposing not only their messages but also the random coins, the remaining unopened messages retain their privacy. Recently, Bellare, Waters and Yilek considered SOA-security in the identity-based setting, and presented the first identity-based encryption (IBE) schemes that are proven secure against selective opening chosen plaintext attack (SO-CPA). However, how to achieve SO-CCA security for IBE is still open.In this paper, we introduce a new primitive called extractable IBE, which is a hybrid of one-bit IBE and identity-based key encapsulation mechanism (IB-KEM), and define its IND-ID-CCA security notion. We present a generic construction of SO-CCA secure IBE from an IND-ID-CCA secure extractable IBE with ``One-Sided Public Openability\'\'(1SPO), a collision-resistant hash function and a strengthened cross-authentication code. Finally, we propose two concrete constructions of extractable 1SPO-IBE schemes, resulting in the first simulation-based SO-CCA secure IBE schemes without random oracles.

*15:17* [Pub][ePrint]
Secure Random Linear Code Based Public Key Encryption Scheme RLCE, by Yongge Wang
As potential post-quantum cryptographic schemes, lattice based encryption schemesand linear codes based encryption schemes

have received extensive attention in recent years.

Though LLL reduction algorithm has been one of the major cryptanalysis techniques

for lattice based cryptographic systems, cryptanalysis techniques for linear codes

based cryptographic systems are generally scheme specific. In recent years,

several important techniques such as

Sidelnikov-Shestakov attack and filtration attacks have been

developed to crypt-analyze linear codes based encryption schemes.

Though most of these cryptanalysis techniques

are relatively new, they prove to be very powerful and many systems have been broken

using these techniques. Thus it is important to systematically investigate and

design linear code based cryptographic systems that are immune against these attacks.

This paper proposes linear code based encryption schemes RLCE which share

many characteristics with random linear codes. Our analysis shows

that the scheme RLCE is secure against existing attacks and we expect that

the security of the RLCE scheme is equivalent to the hardness of decoding random linear codes.

*15:17* [Pub][ePrint]
A Note on the Lindell-Waisbard Private Web Search Scheme, by Zhengjun Cao and Lihua Liu
In 2010, Lindell and Waisbard proposed a private web search scheme for malicious adversaries. At the end of the scheme, each party obtains one search word and query the search engine with the word. We remark that a malicious party could query the search engine with a false word instead of the word obtained. The malicious party can link the true word to its provider if the party publicly complain for the false searching result. To fix this drawback, each party has to broadcast all shares so as to enable every party to recover all search words and query the search engine with all these words.We also remark that there is a very simple method to achieve the same purpose of private shuffle. When a user wants to privately query the search engine with a word, he can choose another n-1 padding words to form a group of $n$ words and permute these words randomly. Finally, he queries the search engine with these words.

*15:17* [Pub][ePrint]
Scalable Divisible E-cash, by SÃ©bastien Canard, David Pointcheval, Olivier Sanders and Jacques TraorÃ©
Divisible E-cash has been introduced twenty years ago but no construction is both fully secure in the standard model and efficiently scalable. In this paper, we fill this gap by providing an anonymous divisible E-cash construction with constant-time withdrawal and spending protocols. Moreover, the deposit protocol is constant-time for the merchant, whatever the spent value is. It just has to compute and store $2^l$ serial numbers when a value $2^l$ is deposited, compared to $2^n$ serial numbers whatever the spent amount (where $2^n$ is the global value of the coin) in the recent state-of-the-art paper. This makes a very huge difference when coins are spent many times.Our approach follows the classical tree representation for the divisible coin. However we manage to build the values on the nodes in such a way that the elements necessary to recover the serial numbers are common to all the nodes of the same level: this leads to strong unlinkability and anonymity, the strongest security level for divisible E-cash.