In 2001, Boneh and Franklin realized the first Identity-Based Encryption (IBE), and at the same time they proposed a simple way to revoke users from the system. Later, Boldyreva et al. pointed out that Boneh-Franklin's revocation method is not scalable well and they proposed the first IBE scheme with efficient revocation. Recently, Tseng and Tsai [Computer Journal, Vol.55 No.4, page 475-486, 2012] claimed that Boldyreva et al.'s scheme requires a secure channel between each user and the key generation center in the key update phase, and proposed a new revocable IBE (RIBE) with a public channel by extending the Boneh-Franklin scheme. In this paper, we revisit Tseng and Tsai's result; we first point out that secure channels (except for the initial key setup) are not mandatory in the definition of RIBE scheme formalized by Boldyreva et al. Next, we show that Boldyreva et al.'s scheme does not require any secure channels (except for the initial key setup), which is different from what Tseng and Tsai claimed and so invalidates their contribution of the first RIBE with a public channel. Moreover, we point out that there are simple techniques to remove secure channels from the Boneh-Franklin RIBE. Interestingly, we show that the secure-channel-free Boneh-Franklin RIBE scheme is secure against decryption key exposure, whereas the Tseng-Tsai RIBE scheme is vulnerable to this attack.

Secure computation of the set intersection functionality allows n parties to find the intersection between their datasets without revealing anything else about them. An efficient protocol for such a task could have multiple potential applications in commerce, health care, and security. However, all currently known secure set intersection protocols for n > 2 parties have computational costs that are quadratic in the (maximum) number of entries in the dataset contributed by each party, making secure computation of the set intersection only practical for small datasets. In this paper, we describe the first multi-party protocol for securely computing the set intersection functionality with both the communication and the computation costs that are quasi-linear in the size of the datasets. For a fixed security parameter, our protocols require O(n2k) bits of communication and Õ(n2k) group multiplications per player in the malicious adversary setting, where k is the size of each dataset. Our protocol follows the basic idea of the protocol proposed by Kissner and Song, but we gain efficiency by using different representations of the polynomials associated with users' datasets and careful employment of algorithms that interpolate or evaluate polynomials on multiple points more efficiently. Moreover, the proposed protocol is robust. This means that the protocol outputs the desired result even if some corrupted players leave during the execution of the protocol.

We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme with short ciphertexts. Prior to our work, most anonymous HIBE schemes have long ciphertexts increased according to the hierarchical depth of recipient. The size of the ciphertext in our scheme does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles. Our scheme achieves selective-ID security notion.

In the Identity-Based Encryption (IBE) setting, the rejoin functionality seems to be impossible since each user has the unique identity as its public key. Moreover, sometimes these identities are unchangeable, e.g., biological information (finger print iris, and so on) is regarded as the identity. Even if changeable value is indicated as an identity, e.g., e-mail address, it is preferable that the same identity can be used after a secret key is leaked. In this paper, we give a formal security definition of RIBE with the rejoin functionality, and also show that the Seo-Emura RIBE scheme [PKC 2013] (with a slight modification) has the rejoin functionality.

Zero-knowledge arguments allows one party to prove that a statement is true, without leaking any other information than the truth of the statement. In many applications such as verifiable shuffle (as a practical application) and circuit satisfiability (as a theoretical application), zero-knowledge arguments for mathematical statements related to linear algebra are essentially used. Groth proposed (at CRYPTO 2009) an elegant methodology for zero-knowledge arguments for linear algebraic relations over finite fields. He obtained zero-knowledge arguments of the sub-linear size for linear algebra using reductions from linear algebraic relations to equations of the form z=x*'y, where x, y ∈ Fnp are committed vectors, z ∈ Fp is a committed element, and *': FnpFnpFp is a bilinear map. These reductions impose additional rounds on zero-knowledge arguments of the sub-linear size. The round complexity of interactive zero-knowledge arguments is an important measure along with communication and computational complexities. We focus on minimizing the round complexity of sub-linear zero-knowledge arguments for linear algebra. To reduce round complexity, we propose a general transformation from a t-round zero-knowledge argument, satisfying mild conditions, to a (t-2)-round zero-knowledge argument; this transformation is of independent interest.

Boneh and Franklin considered to add the revocation functionality to identity-based encryption (IBE). Though this methodology is applicable to any IBE and hierarchical IBE (HIBE), the resulting scheme is non-scalable. Therefore, a generic transformation of scalable revocable (H)IBE (R(H)IBE) from non-scalable R(H)IBE is really desirable. Towards this final goal, in this paper we introduce prototype RHIBE which does not require to be scalable (but requires some conditions), and propose a generic transformation of scalable RHIBE from prototype RHIBE. Moreover, we construct a prototype RHIBE scheme based on the decisional bilinear Diffie-Hellman (DBDH) assumption. Since our prototype RHIBE provides history-free update, insider security, and decryption key exposure resistance, our construction yields the first RHIBE scheme based on the static assumption with these desirable properties.

In this paper, we examine additive homomorphic encryptions in the discrete logarithm setting. Recently, Wang et al. proposed an additive homomorphic encryption scheme by modifying the ElGamal encryption scheme [Information Sciences 181(2011) 3308-3322]. We show that their scheme allows only limited number of additions among encrypted messages, which is different from what they claimed.