To prove the graph relations such as the connectivity and isolation for a certified graph, a system of a graph signature and proofs has been proposed. In this system, an issuer generates a signature certifying the topology of an undirected graph, and issues the signature to a prover. The prover can prove the knowledge of the signature and the graph in the zero-knowledge, i.e., the signature and the signed graph are hidden. In addition, the prover can prove relations on the certified graph such as the connectivity and isolation between two vertexes. In the previous system, using integer commitments on RSA modulus, the graph relations are proved. However, the RSA modulus needs a longer size for each element. Furthermore, the proof size and verification cost depend on the total numbers of vertexes and edges. In this paper, we propose a graph signature and proof system, where these are computed on bilinear groups without the RSA modulus. Moreover, using a bilinear map accumulator, the prover can prove the connectivity and isolation on a graph, where the proof size and verification cost become independent from the total numbers of vertexes and edges.

Functional encryption is a new paradigm of public-key encryption that allows a user to compute f(x) on encrypted data CT(x) with a private key SKf to finely control the revealed information. Multi-input functional encryption is an important extension of (single-input) functional encryption that allows the computation f(x1,...,xn) on multiple ciphertexts CT(x1),...,CT(xn) with a private key SKf. Although multi-input functional encryption has many interesting applications like running SQL queries on encrypted database and computation on encrypted stream, current candidates are not yet practical since many of them are built on indistinguishability obfuscation. To solve this unsatisfactory situation, we show that practical two-input functional encryption schemes for inner products can be built based on bilinear maps. In this paper, we first propose a two-input functional encryption scheme for inner products in composite-order bilinear groups and prove its selective IND-security under simple assumptions. Next, we propose a two-client functional encryption scheme for inner products where each ciphertext can be associated with a time period and prove its selective IND-security. Furthermore, we show that our two-input functional encryption schemes in composite-order bilinear groups can be converted into schemes in prime-order asymmetric bilinear groups by using the asymmetric property of asymmetric bilinear groups.

Group signatures are a class of digital signatures with enhanced privacy. By using this type of signature, a user can sign a message on behalf of a specific group without revealing his identity, but in the case of a dispute, an authority can expose the identity of the signer. However, it is not always the case that we need to know the specific identity of a signature. In this paper, we propose the notion of deniable group signatures, where the authority can issue a proof showing that the specified user is NOT the signer of a signature, without revealing the actual signer. We point out that existing efficient non-interactive zero-knowledge proof systems cannot be straightforwardly applied to prove such a statement. We circumvent this problem by giving a fairly practical construction through extending the Groth group signature scheme (ASIACRYPT 2007). In particular, a denial proof in our scheme consists of 96 group elements, which is about twice the size of a signature in the Groth scheme. The proposed scheme is provably secure under the same assumptions as those of the Groth scheme.

Recently, Park and Lee suggested a new framework for realizing Identity-Based Encryption (IBE) trapdoor called ‘two-equation-revocation’, and proposed a new IBE system that makes use of a Map-To-Point hash function. In this paper, we present a variant of the PL system by giving a simple way to remove the Map-To-Point hash function from the PL system. Our variant is proven to be secure under non-standard security assumptions, which results in the degradation of security. Instead, our variant can have several efficiency advantages over the PL system: (1) it provides receiver's anonymity, (2) it has no correctness error, (3) it has shorter ciphertext, and (4) it has faster encryption. As a result, (when not considering security assumptions and security losses) our variant is as efficient as the Boneh-Boyen and Sakai-Kasahara IBE systems that are considered as being the most practical ones.

A multisignature (MS) scheme enables a group of signers to produce a compact signature on a common message. In analyzing security of MS schemes, a key registration protocol with proof-of-possession (POP) is considered to prevent rogue key attacks. In this paper, we refine the POP-based security model by formalizing a new strengthened POP model and showing relations between the previous POP models and the new one. We next suggest a MS scheme that achieves: (1) non-interactive signing process, (2) O(1) pairing computations in verification, (3) tight security reduction under the co-CDH assumption, and (4) security under the new strengthened POP model. Compared to the tightly-secure BNN-MS scheme, the verification in ours can be at least 7 times faster at the 80-bit security level and 10 times faster at the 128-bit security level. To achieve our goal, we introduce a novel and simple POP generation method that can be viewed as a one-time signature without random oracles. Our POP technique can also be applied to the LOSSW-MS scheme (without random oracles), giving the security in the strengthened POP model.

In proxy re-encryption schemes, a semi-trusted entity called a proxy can convert a ciphertext encrypted for Alice into a new ciphertext for Bob without seeing the underlying plaintext. Several proxy re-encryption schemes have been proposed, however, only two schemes which enables the conversion of IBE ciphertexts to PKE ciphertexts has been proposed. One of schemes has some drawbacks such that the size of the re-encrypted ciphertext increases and Bob must be aware of existence of the proxy, which means Bob cannot decrypt a re-encrypted ciphertext with same PKE decryption algorithm. The other one achieves security under Selective-ID model. We propose a new, efficient scheme that enables the conversion of IBE ciphertexts to PKE ciphertexts, and prove full-ID CPA security in the standard model. In our scheme, the size of the re-encrypted ciphertext is optimal and Bob should not aware of existence of the proxy. As far as we know, this is the first IBE-PKE type scheme that holds the above properties.

The Hidden Vector Encryption scheme is one of the searchable public key encryption schemes that allow for searching encrypted data. The Hidden Vector Encryption scheme supports conjunctive equality, comparison, and subset queries, as well as arbitrary conjunctive combinations of these queries. In a Hidden Vector Encryption scheme, a receiver generates a token for a vector of searchable components and sends the token to a query server which has the capability to evaluate it on encrypted data. All of the existing Hidden Vector Encryption schemes, which are all pairing-based, require token elements and pairing computations proportional to the number of searchable components in the token. In this paper, we suggest an improved paring-based Hidden Vector Encryption scheme where the token elements and pairing computations are independent of the number of searchable components. Namely, for an arbitrary conjunctive search query, the token is of size O(1) and the query server only needs O(1) pairing computations. The latter improvement in particular might be very attractive to a query server in a larger search system with many users. To achieve our goal, we introduce a novel technique to generate a token, which may be of independent interest.

Recently, Hu et al. have suggested a fully secure hierarchical identity-based encryption (HIBE) scheme that achieves constant size ciphertext and tight security reduction. Their construction was based on Gentry's IBE scheme that supports their security proof. In this paper, we show that their security proof is incorrect. We point out the difference between Gentry's proof and that of Hu et al., and we show that the security of Hu et al.'s HIBE scheme cannot be reduced to their claimed complexity assumption.

In this letter, we improve NF'07 (Nakanishi and Funabiki) VLR group signature scheme such that it satisfies exculpability and has lower computation costs. In the proposed scheme, a group member generates his own private key together with the group manager in order to realize exculpability while the signature size is not made longer. Also, a new revocation check method is proposed at the step of verifying, and the computation costs of verifying are independent of the number of the revoked members, while they are linear with the number of the revoked members in the original scheme. Thus, the proposed scheme is more efficient than the original scheme and can be applicable to mobile environments such as IEEE 802.1x.

In this letter, we provide a simple proof of bilinearity for the eta pairing. Based on it, we show an efficient method to compute the powered Tate pairing as well. Although efficiency of our method is equivalent to that of the Tate pairing on the eta pairing approach, but ours is more general in principle.

Previously Verifier-Local Revocation (VLR) group signature schemes from bilinear maps were proposed. In VLR schemes, only verifiers are involved in the revocation of a member, while signers are not. Thus, the VLR schemes are suitable for mobile environments. Furthermore, the previously proposed schemes satisfy the important backward unlinkability. This means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. This property is needed in case of a voluntary leave of a member or in case of a key loss. However, in the previous schemes, signatures become long, due to the adopted assumption, which should be improved in order to apply the schemes to the mobile environments. In this paper an improved VLR scheme is proposed with the shorter group signatures. This is achieved by using a different assumption, DLDH assumption, and improving zero-knowledge proofs in the group signatures. The length of the proposed group signatures is reduced to about 53% of that of the previous ones.

An approach of membership revocation in group signatures is verifier-local revocation (VLR for short). In this approach, only verifiers are involved in the revocation mechanism, while signers have no involvement. Thus, since signers have no load, this approach is suitable for mobile environments. Although Boneh and Shacham recently proposed a VLR group signature scheme from bilinear maps, this scheme does not satisfy the backward unlikability. The backward unlinkability means that even after a member is revoked, signatures produced by the member before the revocation remain anonymous. In this paper, we propose VLR group signature schemes with the backward unlinkability from bilinear maps.

Multisignature schemes enable us to integrate multiple signatures into a single short signature. In 2001, Mitomi and Miyaji proposed a general model of multisignatures, in which signed messages are flexible and the signing order is verifiable and flexible. Several schemes that satisfy these properties have been proposed, but to the best of our knowledge, their verifiable orders are limited to only sequential structures unlike some order-verifiable (but not message-flexible) multisignatures. We define a signing structure as a labeled tree, which can represent any natural signing order including series-parallel graphs, and formalize a general model of multisignatures that makes good use of our structure. We present a security model for such signatures, give the construction based on the general aggregate signature developed by Boneh et al., and provide a security proof in the random oracle model.

We propose a new group signature scheme which is secure if we assume the Decision Diffie-Hellman assumption, the q-Strong Diffie-Hellman assumption, and the existence of random oracles. The proposed scheme is the most efficient among the all previous group signature schemes in signature length and in computational complexity. This paper is the full version of the extended abstract appeared in ACISP 2005 [17].

Recently, Boneh and Boyen proposed a new provably secure short signature scheme under the q-strong Diffie-Hellman assumption without random oracles. This scheme is based on bilinear map which is different from Cramer-Shoup signature scheme (which is based on the strong RSA assumption). However, Tan [17] showed that Boneh- Boyen scheme is subjected to key substitution attacks in the multi-user setting. In this paper, we propose a new signature scheme. We prove that the proposed scheme is provably secured against existential forgery under adaptive chosen message attack in the standard model and also secure against key substitution attacks.

Lee et al. recently proposed the first identity-based key agreement protocols for a multiple PKG environment where each PKG has different domain parameters in ICCSA 2005. However, this letter demonstrates that Lee et al.'s scheme does not include the property of implicit key authentication which is the fundamental security requirement, making it vulnerable to an impersonation attack.