The concept of witness hiding was proposed by Feige and Shamir as a natural relaxation of zero-knowledge. Prior constructions of witness hiding protocol for general hard distribution on NP language consist of at least three rounds. In this paper we construct a two-round witness hiding protocol for all hard distributions on NP language. Our construction is based on two primitives: point obfuscation and adaptive witness encryption scheme.

ZHFE, proposed by Porras et al. at PQCrypto'14, is one of the very few existing multivariate encryption schemes and a very promising candidate for post-quantum cryptosystems. The only one drawback is its slow key generation. At PQCrypto'16, Baena et al. proposed an algorithm to construct the private ZHFE keys, which is much faster than the original algorithm, but still inefficient for practical parameters. Recently, Zhang and Tan proposed another private key generation algorithm, which is very fast but not necessarily able to generate all the private ZHFE keys. In this paper we propose a new efficient algorithm for the private key generation and estimate the number of possible keys generated by all existing private key generation algorithms for the ZHFE scheme. Our algorithm generates as many private ZHFE keys as the original and Baena et al.'s ones and reduces the complexity from O(n2ω+1) by Baena et al. to O(nω+3), where n is the number of variables and ω is a linear algebra constant. Moreover, we also analyze when the decryption of the ZHFE scheme does not work.

Multivariate Public Key Cryptography (MPKC) is one of the main candidates for secure communication in a post-quantum era. Recently, Yasuda and Sakurai proposed at ICICS 2015 a new multivariate encryption scheme called SRP, which offers efficient decryption, a small blow up factor between plaintext and ciphertext and resists all known attacks against multivariate schemes. However, similar to other MPKC schemes, the key sizes of SRP are quite large. In this paper we propose a technique to reduce the key size of the SRP scheme, which enables us to reduce the size of the public key by up to 54%. Furthermore, we can use the additional structure in the public key polynomials to speed up the encryption process of the scheme by up to 50%. We show by experiments that our modifications do not weaken the security of the scheme.

An Authenticated Encryption scheme is used to guarantee both privacy and authenticity of digital data. At FSE 2014, an authenticated encryption scheme called CLOC was proposed. CLOC is designed to handle short input data efficiently without needing heavy precomputation nor large memory. This is achieved by making various cases of different treatments in the encryption process depending on the input data. Five tweak functions are used to handle the conditional branches, and they are designed to satisfy 55 differential probability constraints, which are used in the security proof of CLOC. In this paper, we show that all these 55 constraints are necessary. This shows the design optimality of the tweak functions in CLOC in that the constraints cannot be relaxed, and hence the specification of the tweak functions cannot be simplified.

A predicate encryption scheme enables the owner of the master key to enforce fine-grained access control on encrypted cloud data through the delegation of predicate tokens to cloud storages. In particular, Blundo et al. proposed a construction where a predicate token reveals partial information of the involved keywords to enable efficient operations on encrypted keywords. However, we found that a predicate token reveals more information than what was claimed because of the encoding scheme. In this letter, we not only analyze this extra information leakage but also present an improved encoding scheme for the Blundo et al's scheme and the other similar schemes to preserve predicate privacy.

We show that, in practice, a network adversary can achieve decidedly non-negligible advantage in attacking provable key-protection properties; e.g., the “existential key recovery” security and “multi-key hiding” property of typical nonce-based symmetric encryption schemes whenever these schemes are implemented with standard block ciphers. We also show that if a probabilistic encryption scheme uses certain standard block ciphers (e.g., two-key 3DES), then enforcing the security bounds necessary to protect against network adversary attacks will render the scheme impractical for network applications that share group keys amongst many peers. The attacks presented here have three noteworthy implications. First, they help identify key-protection properties that separate the notion of indistinguishability from random bits (IND$) from the strictly weaker notion of indistinguishability of ciphertexts (IND); also, they help establish new relationships among these properties. Second, they show that nonce-based symmetric encryption schemes are typically weaker than probabilistic ones. Third, they illustrate the need to account for the Internet-level growth of adversary capabilities when establishing the useful lifetime of standard block-cipher parameters.

We analyze the security notion of information-theoretic secrecy against an adversary who can make adaptive queries to the decryption oracle, and show that it is equivalent to requiring that the encryption scheme can perfectly encrypt +1 different messages. This immediately yields a lower bound on the key length and an optimal construction, namely (+1)-wise independent permutations. This also gives an operational interpretation to the notion of decryption oracles in information-theoretic security.

We first consider a variant of the Schmidt-Samoa-Takagi encryption scheme without losing additively homomorphic properties. We show that this variant is secure in the sense of IND-CPA under the decisional composite residuosity assumption, and of OW-CPA under the assumption on the hardness of factoring n=p2q. Second, we introduce new algebraic properties "affine" and "pre-image restriction," which are closely related to homomorphicity. Intuitively, "affine" is a tuple of functions which have a special homomorphic property, and "pre-image restriction" is a function which can restrict the receiver to having information on the encrypted message. Then, we propose an encryption scheme with primitive power roots of unity in (Z/ns+1). We show that our scheme has, in addition to the additively homomorphic property, the above algebraic properties. In addition to the properties, we also show that the encryption scheme is secure in the sense of OW-CPA and IND-CPA under new number theoretic assumptions.

Canetti et al. [5] showed that there exist signature and encryption schemes that are secure in the random oracle (RO) model, but for which any implementation of the RO (by a single function or a function ensemble) results in insecure schemes. Their result greatly motivates the design of cryptographic schemes that are secure in the standard computational model. This paper gives some new results on the RO methodology. First, we give the necessary and sufficient condition for the existence of a signature scheme that is secure in the RO model but where, for any implementation of the RO, the resulting scheme is insecure. Next, we show that this condition induces a signature scheme that is insecure in the RO model, but that there is an implementation of the RO that makes the scheme secure.

We propose a new security class, called plaintext simulatability, defined over the public-key encryption schemes. The notion of plaintext simulatability (denoted PS) is similar to the notion of plaintext awareness (denoted PA) defined in [3], but it is "properly" a weaker security class for public-key encryption. It is known that PA implies the class of CCA2-secure encryption (denoted IND-CCA2) but not vice versa. In most cases, PA is "unnecessarily" strong--In such cases, PA is only used to study that the public-key encryption scheme involved meets IND-CCA2, because it looks much easier to treat the membership of PA than to do "directly" the membership of IND-CCA2. We show that PS also implies IND-CCA2, while preserving such a technical advantage as well as PA. We present two novel CCA2-secure public-key encryption schemes, which should have been provided with more complicated security analyses. One is a random-oracle version of Dolev-Dwork-Naor's encryption scheme [8],[9]. Unlike the original scheme, this construction is efficient. The other is a public-key encryption scheme based on a strong pseudo-random permutation family [16] which provides the optimal ciphertext lengths for verifying the validity of ciphertexts, i.e., (ciphertext size) = (message size) + (randomness size). According to [19], such a construction remains open. Both schemes meet PS but not PA.

In this paper, we propose a proof scheme of shuffle, which is an honest verifier zero-knowledge proof of knowledge such as the protocols by Groth and Furukawa. Unlike the previous schemes proposed by Furukawa-Sako, Groth, and Furukawa, our scheme can be used as the shuffle of the elements encrypted by Paillier's encryption scheme, which has an additive homomorphic property in the message part. The ElGamal encryption scheme used in the previous schemes does not have this property.

Recently, Ma and Chen proposed a new authenticated encryption scheme with public verifiability. The signer can generate a signature with message recovery for a specified recipient. With a dispute, the recipient has ability to convert the signature into an ordinary one that can be verified by anyone without divulging her/his private key and the message. However, we point out that any adversary can forge a converted signature in this article.

This paper newly formalizes some notions of security for probabilistic public-key encryption schemes. The framework for these notions was originally presented in the work by Bellare et al., in which they consider non-malleability and indistinguishability under chosen-plaintext attack, non-adaptive chosen-ciphertext attack and adaptive chosen-ciphertext attack. This paper extends the results of Bellare et al. by introducing two goals, equivalence undecidability and non-verifiability under the above three attack models. Such goals are sometimes required in electronic voting and bids systems. It is shown that equivalence undecidability, non-verifiability and indistinguishability are all equivalent under the three attack models.