Identity-based encryption (IBE) is one of the most important primitives in cryptography, and various security notions of IBE (e.g., IND-ID-CCA2, NM-ID-CCA2, IND-sID-CPA etc.) have been introduced. The relations among them have been clarified recently. This paper, for the first time, investigates the security of IBE in the universally composable (UC) framework. This paper first defines the UC-security of IBE, i.e., we define the ideal functionality of IBE, FIBE. We then show that UC-secure IBE is equivalent to conventionally-secure (IND-ID-CCA2-secure) IBE.

We introduce a notion of watermarking for cryptographic functions and propose a concrete scheme for watermarking cryptographic functions. Informally speaking, a digital watermarking scheme for cryptographic functions embeds information, called a mark, into functions such as one-way functions and decryption functions of public-key encryption. There are two basic requirements for watermarking schemes. A mark-embedded function must be functionally equivalent to the original function. It must be difficult for adversaries to remove the embedded mark without damaging the original functionality. In spite of its importance and usefulness, there have only been a few theoretical works on watermarking for functions (or programs). Furthermore, we do not have rigorous definitions of watermarking for cryptographic functions and concrete constructions. To solve the problem above, we introduce a notion of watermarking for cryptographic functions and define its security. Furthermore, we present a lossy trapdoor function (LTF) based on the decisional bilinear Diffie-Hellman problem problem and a watermarking scheme for the LTF. Our watermarking scheme is secure under the symmetric external Diffie-Hellman assumption in the standard model. We use techniques of dual system encryption and dual pairing vector spaces (DPVS) to construct our watermarking scheme. This is a new application of DPVS.

Leakage resilient cryptography is often considered in the presence of a very strong leakage oracle: An adversary may submit arbitrary efficiently computable function f to the leakage oracle to receive f(x), where x denotes the entire secret that a party possesses. This model is somewhat too strong in the setting of public-key encryption (PKE). It is known that no secret-key leakage resilient PKE scheme exists if the adversary may have access to the secret-key leakage oracle to receive only one bit after it was given the challenge ciphertext. Similarly, there exists no sender-randomness leakage resilient PKE scheme if one-bit leakage occurs after the target public key was given to the adversary. At TCC 2011, Halevi and Lin have broken the barrier of after-the-fact leakage, by proposing the so-called split state model, where a secret key of a party is explicitly divided into at least two pieces, and the adversary may have not access to the entire secret at once, but each divided pieces, one by one. In the split-state model, they have constructed post-challenge secret-key leakage resilient CPA secure PKEs from hash proof systems, but the construction of CCA secure post-challenge secret-key leakage PKE has remained open. They have also remained open to construct sender-randomness leakage PKE in the split state model. This paper provides a solution to the open issues. We also note that the proposal of Halevi and Lin is post-challenge secret-key leakage CPA secure against a single challenge ciphertext; not against multiple challenges. We present an efficient generic construction that converts any CCA secure PKE scheme into a multiple-challenge CCA secure PKE that simultaneously tolerates post-challenge secret-key and sender-randomness leakage in the split state model, without any additional assumption. In addition, our leakage amount of the resulting schemes is the same as that of Halevi and Lin CPA PKE, i.e., (1/2+γ)l/2 where l denotes the length of the entire secret (key or randomness) and γ denotes a universal (possitive) constant less than 1/2. Our conversion is generic and available for many other public-key primitives. For instance, it can convert any identity-based encryption (IBE) scheme to a post-challenge master-key leakage and sender-randomness leakage secure IBE.

This paper presents a new non-interactive string-commitment scheme that achieves universally composable security. Security is proven under the decisional composite residuosity (DCR) assumption (or the decisional Diffie-Hellman (DDH) assumption) in the common reference string (CRS) model. The universal composability (UC) is a very strong security notion. If cryptographic protocols are proven secure in the UC framework, then they remain secure even if they are composed with arbitrary protocols and polynomially many copies of the protocols are run concurrently. Many UC commitment schemes in the CRS model have been proposed, but they are either interactive commitment or bit-commitment (not string-commitment) schemes. We note, however, that although our scheme is the first non-interactive UC string-commitment scheme, a CRS is not reusable. We use an extension of all-but-one trapdoor functions (ABO-TDFs) proposed by Peikert and Waters at STOC 2008 as an essential building block. Our main idea is to extend (original deterministic) ABO-TDFs to probabilistic ones by using the homomorphic properties of their function indices. The function indices of ABO-TDFs consist of ciphertexts of homomorphic encryption schemes (such as ElGamal, and Damgåd-Jurik encryption). Therefore we can re-randomize the output of ABO-TDFs by re-randomization of ciphertexts. This is a new application of ABO-TDFs.

This paper presents a new non-interactive multi-trapdoor commitment scheme from the standard RSA assumption. Multi-trapdoor commitment is a stronger variant of trapdoor commitment. Its notion was introduced by Gennaro at CRYPTO 2004. Multi-trapdoor commitment schemes are very useful because we can convert a non-interactive multi-trapdoor commitment scheme into a non-interactive and reusable non-malleable commitment scheme by using one-time signature and transform any proof of knowledge into a concurrently non-malleable one (this can be used as concurrently secure identification). Gennaro gave concrete constructions of multi-trapdoor commitment, but its security relies on stronger assumptions, such as the strong RSA assumption and the q-strong Diffie-Hellman assumption as opposed to our construction based on the standard RSA assumption. As a corollary of our results, we constructed a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption. Our scheme is based on the Hohenberger-Waters (weak) signature scheme presented at CRYPTO 2009. Several non-interactive and reusable non-malleable commitment schemes (in the common reference string model) have been proposed, but they all rely on stronger assumptions (such as the strong RSA assumption). Thus, we give the first construction of a non-interactive and reusable non-malleable commitment scheme from the standard RSA assumption.

We propose two unidirectional proxy re-encryption schemes from the LWE assumptions. The schemes enjoy key privacy defined by Ateniese, Benson, and Hohenberger (CT-RSA 2009), that is, a delegator and a delegatee of a re-encryption key are anonymous.