Willy Susilo

In this chapter, we introduce the ElGamal encryption scheme and the Cramer-Shoup encryption scheme [32]. The first scheme is widely known, and we give it here to help the reader understand how to analyze the correctness of a security reduction. The second scheme is the first practical encryption scheme without random oracles with CCA security. The given schemes and/or proofs may be different from the original ones.

Certificateless cryptography has attracted a lot of attention from the research community, due to its applicability in information security. In this paper, we analyze two recently proposed certificateless signature schemes and point out their security flaws. In particular, we demonstrate universal forgeries against these schemes with known message attacks

A tightly secure cryptographic scheme refers to a construction with a tight security reduction to a hardness assumption, where the reduction loss is a small constant. A scheme with tight security is preferred in practice since it could be implemented using a smaller parameter to improve efficiency. Recently, Bader et al. (EUROCRYPT 2016) have proposed a comprehensive study on the impossible tight security reductions for certain (e.g., key-unique) public-key cryptographic schemes in the multi-user with adaptive corruptions (MU-C) setting built upon non-interactive assumptions. The assumptions of one-more version, such as one-more computational Diffie-Hellman (n-CDH), are variants of the standard assumptions and have found various applications. However, whether it is possible to have tightly secure key-unique schemes from the one-more assumptions or the impossible tight reduction results also hold for these assumptions remains unknown. In this paper, we give affirmative answers to the above question, i.e., we can have efficient key-unique public-key cryptographic schemes with tight security built upon the one-more assumptions. Specifically, we propose a digital signature scheme and an encryption scheme, both of which are key-unique and have tight MU-C security under the one-more computational Diffie-Hellman (n-CDH) assumption. Our results also reflect from another aspect that there indeed exists a gap between the standard assumptions and their one-more version counterparts.

In this paper, we propose a privacy-preserving reservation system for electric vehicles (EV) charging stations. Due to the short driving range of EV, frequent charging is necessary. A mechanism for charging station reservation for EV owners is desirable. Our proposed system allows the vehicle owner to reserve a number of charging stations along the intended route at different time-slots. Yet it is secure against misuse such that a user can only hold a limited number of reservations simultaneously. More importantly, our system can provide privacy for users. The charging station does not know the identity of the user who has reserved it. Thus location privacy can be protected. We demonstrate the practicality of our system with a prototype implementation on a smart phone. Finally, we also provide a security proof to show that our system is secure under well-known computational assumptions.

Authentication is one of the most fundamental services in information security. Compared with traditional authentication methods, group authentication enables a group of users to be authenticated at once rather than authenticating each user individually. Therefore, it is preferred in the group-oriented environment, such as multicast/conference communications. While several group authentication schemes have been proposed over the past few years, no formal treatment for this cryptographic problem has ever been suggested. Existing papers only provide heuristic evidences of security and some of these schemes have later been found to be flawed. In this paper, we present a formal security model for this problem. Our model not only captures the basic requirement in group authentication that an adversary cannot pretend to be a group member without being detected, but also considers some desirable features in real-world applications, such as re-use of the credentials in multiple authenticati...

Cloud computing offers on-demand availability of computing resources over the Internet. To attract users, cloud providers offer their resources as services at reasonable prices and provide various price models to reflect higher level of quality of service (QoS), which are referred as pricing schemes. <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq2-3007633.gif"/></alternatives></inline-formula>-times anonymous authentication (<inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq3-3007633.gif"/></alternatives></inline-formula>-TAA) is an attractive approach to construct pricing schemes, providing access controllability, user anonymity and public traceability. In <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq4-3007633.gif"/></alternatives></inline-formula>-TAA schemes, authenticated users are permitted to anonymously access services from a provider at most <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq5-3007633.gif"/></alternatives></inline-formula> times, while the ones whose the number of access times exceeds <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq6-3007633.gif"/></alternatives></inline-formula> can be publicly traced. That is, <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq7-3007633.gif"/></alternatives></inline-formula>-TAA schemes offer a prepaid plan that charges users based on the amount of access times. Alternatively, pay-as-you-go (PAYG) is a pricing strategy that allows users to be charged based on the amount of usage, reducing the costs on unnecessary resources. Adopting <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq8-3007633.gif"/></alternatives></inline-formula>-TAA schemes to PAYG model, the access bound <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq9-3007633.gif"/></alternatives></inline-formula> is decided by the prepayment amount and the service usage is tracked by the number of access times. However, this approach is impractical, since existing <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq10-3007633.gif"/></alternatives></inline-formula>-TAA schemes only allow an one-time access in an authentication. This article aims to bridge this gap in the literature by designing an efficient and secure authentication system for PAYG cloud computing, supporting flexible access controllability, user anonymity and public traceability. To achieve this, we propose a new <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq11-3007633.gif"/></alternatives></inline-formula>-TAA primitive, called <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq12-3007633.gif"/></alternatives></inline-formula>-times anonymous pay-as-you-go authentication (<inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq13-3007633.gif"/></alternatives></inline-formula>-TAA-PAYG), that allows users to access services for multiple times in an authentication as long as the number of their access times does not exceed <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq14-3007633.gif"/></alternatives></inline-formula>. We first formalize the definition and security model for <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq15-3007633.gif"/></alternatives></inline-formula>-TAA-PAYG scheme. Subsequently, we present a concrete construction of <inline-formula><tex-math notation="LaTeX">$k$</tex-math><alternatives><mml:math><mml:mi>k</mml:mi></mml:math><inline-graphic xlink:href="susilo-ieq16-3007633.gif"/></alternatives></inline-formula>-TAA-PAYG scheme, with the computational complexity as <inline-formula><tex-math…

Identity-based revocation system (IBRS) generates the ciphertext with a revoked identity list such that only the non-revoked identities can use their private keys to decrypt this ciphertext. IBRS can be efficiently applied in some practical applications, such as the pay-TV systems when the number of revoked identities are much less than the non-revoked ones. However, since IBRS is based on identity-based cryptography, it also suffers from the inherent key escrow problem where the private key generator (PKG) has full control of each user’s private key. As a consequence, it is hard to judge whether a pirated private key is generated by the PKG or the suspected user. There is no study on IBRS fulfilling accountability in literature to date. In this paper, we introduce the notion of accountable authority IBRS (A-IBRS), which provides accountability in IBRS schemes. In an A-IBRS, the aforementioned problem can be alleviated and resolved. Furthermore, a full black-box A-IBRS can distinguish the creator of a black box between the PKG and the associated user and the dishonest PKG is allowed to access the decryption results of the user private key. We formalize the definition and security models of the full black-box A-IBRS schemes. Then, we present a concrete full black-box A-IBRS scheme with constant-size master public key and private key. Finally, we prove the security of our scheme under the defined security models without random oracle.

Attribute-based encryption (ABE) allows one-to-many encryption with static access control. In many occasions, the access control policy must be updated, but the original encryptor might be unavailable to re-encrypt the message, which makes it impractical. Unfortunately, to date the work in ABE does not consider this issue yet, and hence this hinders the adoption of ABE in practice. In this work, we consider how to update access policies in ciphertext-policy attribute-based encryption (CP-ABE) systems efficiently without encrypting each ciphertext with new access policies. We introduce a new notion of CP-ABE supporting access policy update that captures the functionalities of attribute addition and revocation to access policies. We formalize the security requirements for this notion and subsequently construct two provably secure CP-ABE schemes supporting AND-gate access policy with constant-size ciphertext for user decryption. The security of our schemes are proved under the augmented multi-sequences of exponents decisional Diffie–Hellman assumption. We also present a different construction in which certain attributes in an access policy can be preserved by the original encryptor, while other attributes can be revoked efficiently so that the ability of attribute revocation can be appropriately restrained

In Fog Computing, fragile connection between Fog and Cloud causes problems of the authentication and authorization. Recently, Stojmenovic, Wen, Huang and Luan introduced a potential solution by adopting the concept of Stand-Alone Authentication (SAA) and equipped it with Attribute-based encryption (ABE) for its security in a large and dynamic information system. In such a system, a users access right can be described as a set of attributes linking to his/her private key. In this paper, we note that if a user can generate a new private key for a portion of his/her access right, this could potentially lead to some undesirable situations, which violates the access control policy. Interestingly, to date, there is no work that looks into this matter in detail nor addresses it. We point out that this is a property that exists in ABE systems, which we refer to key-delegation abuse. ABE systems that suffer from key-delegation abuse will hinder the adoption of these systems in practice. In this work, for the first time in the literature, we address the key-delegation abuse problem in Ciphertext-policy Attribute-based Encryption (CP-ABE) systems. We introduce a new mechanism to enhance CP-ABE schemes that provide protections against this key-delegation abuse issue. We formalize the security requirements for such a property, and subsequently construct a CP-ABE scheme that satisfies the new security requirements. We also present an application of our scheme to a traceable CP-ABE, where the traitors, i.e. the users who have leaked their keys, can be traced. The property of key-delegation abuse in ABE system is investigated.A provably secure CP-ABE scheme against key-delegation abuse is proposed.A new security game model against key-delegation abuse is introduced.The new feature of proposed CP-ABE scheme is proved in generic group model.An application of traitor tracing CP-ABE scheme is also presented.

In this chapter, we introduce what is security reduction and how to program a correct security reduction. We start by presenting an overview of important concepts and techniques, and then proof structures for digital signatures and encryption. We classify each concept into several categories in order to guide the reader to a deep understanding of security reduction. We devise and select some examples to show how to correctly program a full security reduction. Some definitions adopted in this book may be defined differently elsewhere in the literature.

The provable data possession (PDP) allows the cloud server to prove that its client’s data is securely stored, and allows the data uploader to check the integrity of the data (alternatively, a third party auditor (TPA) can perform the auditing on behalf of the uploader). Sharing data among multiple uploaders is another attracting advantage of cloud storage. However, privacy issues on multiple uploaders should be considered. During an auditing process, the TPA should not be able to learn the identity of the uploader. To address this problem, some privacy-preserving auditing schemes were found in the literature, utilizing ring signature or group signature techniques, which are not computationally efficient. How to improve efficiency in a cloud storage system with multiple uploaders is a challenge. In this paper, we propose an anonymous cloud auditing scheme with multiple uploaders (ACAMU). The authentication tag of a message consists of only one element. Therefore, the storage cost of the tags and the transmission and verification cost during the auditing process can be significantly reduced. We provide a full security proof for our scheme. Meanwhile, our scheme achieves unconditional anonymity for the uploaders, namely, the TPA cannot distinguish the identity of the uploader even though it holds all the uploaders’ secret keys after performing the auditing operation.

The first step in constructing a provably secure cryptosystem in public-key cryptography is to clarify its cryptographic notion and formalize the definitions of the algorithm and its corresponding security model. A cryptographic notion helps the reader understand the definition of the algorithm, while the security model is essential for measuring the strength of a proposed scheme. Both a scheme construction and its security proof require knowledge of the corresponding cryptographic foundations.

In this chapter, we start by introducing the Boneh-Boyen IBE scheme [20], which is selectively secure under the DBDH assumption. Then, we introduce a variant version of Boneh-Boyen IBE for CCA security without the use of one-time signatures [28] but with a chameleon hash function [94]. Then, we introduce the Waters IBE scheme [101] and the Gentry IBE scheme [47], which are both fully secure under the C-Type and the I-Type, respectively. The given schemes and/or proofs may be different from the original ones.