This paper proposes an inner-product encryption (IPE) scheme, which achieves selectively fully-attribute-hiding security in the standard model almost tightly reduced from the decisional linear (DLIN) assumption, and whose ciphertext is almost the shortest among the existing (weakly/fully) attribute-hiding IPE schemes, i.e., it consists of n+4 elements of G and 1 element of GT for a prime-order symmetric bilinear group (G, GT), where n is the dimension of attribute/predicate vectors. We also present a variant of the proposed IPE scheme that enjoys shorter public and secret keys with preserving the security. A hierarchical IPE (HIPE) scheme can be realized that has short ciphertexts and selectively fully-attribute-hiding security almost tightly reduced from the DLIN assumption.

This paper proposes the first (practical) inner product encryption (IPE) scheme that is adaptively secure and fully attribute-hiding (attribute-hiding in the sense of the definition by Katz, Sahai and Waters), while the existing (practical) IPE schemes are either fully attribute-hiding but selectively secure or adaptively secure but weakly attribute-hiding. The proposed IPE scheme is proven to be adaptively secure and fully attribute-hiding under the decisional linear assumption in the standard model. The IPE scheme is comparably as efficient as the existing (practical) attribute-hiding IPE schemes. We also present a variant of the proposed IPE scheme with the same security that achieves shorter public and secret keys. A hierarchical IPE scheme can be constructed that is also adaptively secure and fully attribute-hiding under the same assumption. In this paper, we extend the dual system encryption technique by Waters into a more general manner, in which new forms of ciphertext and secret keys are employed and new types of information theoretical tricks are introduced along with several forms of computational reduction.

The concept of dual pairing vector spaces (DPVS) was introduced by Okamoto and Takashima in 2009, and it has been employed in various applications, functional encryption (FE) including attribute-based encryption (ABE) and inner-product encryption (IPE) as well as attribute-based signatures (ABS), generic conversion from composite-order group based schemes to prime-order group based ones and public-key watermarking. In this paper, we show the concept of DPVS, the major applications to FE and the key techniques employed in these applications. This paper presents them with placing more emphasis on plain and intuitive descriptions than formal preciseness.

In this paper, we will report practical modifications of the side-channel analysis to (EC)DSA [1],[2],[5],[34] that Leadbitter et al. have proposed in [16]. To apply the analyses, we assume that the window method is used in the exponentiation or elliptic curve (EC) scalar multiplication and the side-channel information described in Sect. 3.2 can be collected. So far, the method in [16] hasn't been effective when the size q of a cyclic group used in (EC)DSA is 160 bit long and the window size w < 9. We show that the modified method we propose in this paper is effective even when q is 160 bit long and w=4. This shows that our method is effective for various practical implementations, e.g., that in resource restricted environment like IC card devises. First, we estimate the window size w necessary for the proposed analyses (attacks) to succeed. Then by experiment of the new method, we show that private keys of (EC)DSA can be obtained under the above assumptions, in practical time and with sufficient success rate. The result raises the necessity of countermeasures against the analyses (attacks) in the window method based implementation of (EC)DSA.

Recently, some cryptographic primitives have been described that are based on the supposed hardness of finding an isogeny between two supersingular elliptic curves. As a part of such a primitive, Charles et al. proposed an algorithm for computing sequences of 2-isogenies. However, their method involves several redundant computations. We construct simple algorithms without such redundancy, based on very compact descriptions of the 2-isogenies. For that, we use some observations on 2-torsion points.

We propose a key-policy attribute-based encryption (KP-ABE) scheme with constant-size ciphertexts, whose almost tightly semi-adaptive security is proven under the decisional linear (DLIN) assumption in the standard model. The access structure is expressive, that is given by non-monotone span programs. It also has fast decryption, i.e., a decryption includes only a constant number of pairing operations. As an application of our KP-ABE construction, we also propose an efficient, fully secure attribute-based signatures with constant-size secret (signing) keys from the DLIN. For achieving the above results, we extend the sparse matrix technique on dual pairing vector spaces. In particular, several algebraic properties of an elaborately chosen sparse matrix group are applied to the dual system security proofs.

This paper presents the first attribute-based signature (ABS) scheme in which the correspondence between signers and signatures is captured in an arithmetic model of computation. Specifically, we design a fully secure, i.e., adaptively unforgeable and perfectly signer-private ABS scheme for signing policies realizable by arithmetic branching programs (ABP), which are a quite expressive model of arithmetic computations. On a more positive note, the proposed scheme places no bound on the size and input length of the supported signing policy ABP's, and at the same time, supports the use of an input attribute for an arbitrary number of times inside a signing policy ABP, i.e., the so called unbounded multi-use of attributes. The size of our public parameters is constant with respect to the sizes of the signing attribute vectors and signing policies available in the system. The construction is built in (asymmetric) bilinear groups of prime order, and its unforgeability is derived in the standard model under (asymmetric version of) the well-studied decisional linear (DLIN) assumption coupled with the existence of standard collision resistant hash functions. Due to the use of the arithmetic model as opposed to the boolean one, our ABS scheme not only excels significantly over the existing state-of-the-art constructions in terms of concrete efficiency, but also achieves improved applicability in various practical scenarios. Our principal technical contributions are (a) extending the techniques of Okamoto and Takashima [PKC 2011, PKC 2013], which were originally developed in the context of boolean span programs, to the arithmetic setting; and (b) innovating new ideas to allow unbounded multi-use of attributes inside ABP's, which themselves are of unbounded size and input length.

The Gallant-Lambert-Vanstone method [14](GLV method for short) is a scalar multiplication method for elliptic curve cryptography (ECC). In WAP WTLS [49], SEC 2 [44], ANSI X9.62 [1] and X9.63 [2], several domain parameters for applications of the GLV method are described. Curves with those parameters have efficiently-computable endomorphisms. Recently the GLV method for Jacobians of hyperelliptic curve (HEC) has also been studied. In this paper, we discuss applications of the GLV method to curves with real multiplication (RM). It is the first time to use RM for efficient scalar multiplication as far as we know. We describe the general algorithm for using such RM, and we show that some genus 2 curves with RM have enough effciency to be used in the GLV method as in the previous CM case. Moreover, we will see that such RM curves can be obtained abundantly unlike the previously proposed CM curves of genus 2.

This paper presents decentralized multi-authority attribute-based encryption and signature (DMA-ABE and DMA-ABS) schemes, in which no central authority exists and no global coordination is required except for the setting of a parameter for a prime order bilinear group and a hash function, which can be available from public documents, e.g., ISO and FIPS official documents. In the proposed DMA-ABE and DMA-ABS schemes, every process can be executed in a fully decentralized manner; any party can become an authority and issue a piece for a secret key to a user without interacting with any other party, and each user obtains a piece of his/her secret key from the associated authority without interacting with any other party. While enjoying such fully decentralized processes, the proposed schemes are still secure against collusion attacks, i.e., multiple pieces issued to a user by different authorities can form a collusion resistant secret key, composed of these pieces, of the user. The proposed ABE scheme is the first DMA-ABE for non-monotone relations (and more general relations), which is adaptively secure under the decisional linear (DLIN) assumption in the random oracle model. This paper also proposes the first DMA-ABS scheme for non-monotone relations (and more general relations), which is fully secure, adaptive-predicate unforgeable and perfect private, under the DLIN assumption in the random oracle model. DMA-ABS is a generalized notion of ring signatures. The efficiency of the proposed DMA-ABE and DMA-ABS schemes is comparable to those of the existing practical ABE and ABS schemes with comparable relations and security.

This paper demonstrates how to achieve simulation-based strong attribute hiding against adaptive adversaries for predicate encryption (PE) schemes supporting expressive predicate families under standard computational assumptions in bilinear groups. Our main result is a simulation-based adaptively strongly partially-hiding PE (PHPE) scheme for predicates computing arithmetic branching programs (ABP) on public attributes, followed by an inner-product predicate on private attributes. This simultaneously generalizes attribute-based encryption (ABE) for boolean formulas and ABP's as well as strongly attribute-hiding PE schemes for inner products. The proposed scheme is proven secure for any a priori bounded number of ciphertexts and an unbounded (polynomial) number of decryption keys, which is the best possible in the simulation-based adaptive security framework. This directly implies that our construction also achieves indistinguishability-based strongly partially-hiding security against adversaries requesting an unbounded (polynomial) number of ciphertexts and decryption keys. The security of the proposed scheme is derived under (asymmetric version of) the well-studied decisional linear (DLIN) assumption. Our work resolves an open problem posed by Wee in TCC 2017, where his result was limited to the semi-adaptive setting. Moreover, our result advances the current state of the art in both the fields of simulation-based and indistinguishability-based strongly attribute-hiding PE schemes. Our main technical contribution lies in extending the strong attribute hiding methodology of Okamoto and Takashima [EUROCRYPT 2012, ASIACRYPT 2012] to the framework of simulation-based security and beyond inner products.

Cryptosystems using pairing computation on elliptic curves have various applications including ID-based encryption ([19],[29],[30] etc.). Scott [33] proposed a scaling method of security by a change of the embedding degree k. On the other hand, he also presented an efficient pairing computation method on an ordinary (non-supersingular) elliptic curve over a large prime field Fp ([34]). In this paper, we present an implementation method of the pairing computation with both of the security scaling in [33] and the efficiency in [34]. First, we will investigate the mathematical nature of the set of the paremeter r (the order of cyclic group used) so as to support many k's. Then, based on it, we will suggest some modification to the algorithm of Scott in [34] to achieve flexible scalability of security level.