Group Encryption: Non-interactive Realization in the Standard Model

  • Julien Cathalo
  • Benoît Libert
  • Moti Yung
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5912)

Abstract

Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a CCA2 security sense, as well); the sender is able to convince a verifier that, among other things, the ciphertext is valid and some anonymous certified group member will be able to decrypt the message. As in group signatures, an opening authority has the power of pinning down the receiver’s identity. The initial GE construction uses interactive proofs as part of the design (which can be made non-interactive using the random oracle model) and the design of a fully non-interactive group encryption system is still an open problem. In this paper, we give the first GE scheme, which is a pure encryption scheme in the standard model, i.e., a scheme where the ciphertext is a single message and proofs are non-interactive (and do not employ the random oracle heuristic). As a building block, we use a new public key certification scheme which incurs the smallest amount of interaction, as well.

Keywords

Group encryption anonymity provable security 

References

  1. 1.
    An, J.H., Dodis, Y., Rabin, T.: On the security of joint signature and encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 83–107. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  2. 2.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols. In: ACM CCS 1993, pp. 62–73 (1993)Google Scholar
  5. 5.
    Boldyreva, A., Fischlin, M., Palacio, A., Warinschi, B.: A closer look at PKI: Security and efficiency. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 458–475. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)Google Scholar
  7. 7.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Boneh, D., Franklin, M.: Identity based encryption from the Weil pairing. SIAM J. of Computing 32(3), 586–615 (2003); Extended abstract in Crypto 2001, LNCS, vol. 2139, pp. 213–229 (2001)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Boyen, X., Delerablée, C.: Expressive subgroup signatures. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 185–200. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Camenisch, J., Chandran, N., Shoup, V.: A public key encryption scheme secure against key dependent chosen plaintext and adaptive chosen ciphertext attacks. In: Ghilardi, S. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 351–368. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  12. 12.
    Camenisch, J., Lysyanskaya, A.: A Signature Scheme with Efficient Protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Camenisch, J., Shoup, V.: Practical verifiable encryption and decryption of discrete logarithms. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 126–144. Springer, Heidelberg (2003)Google Scholar
  14. 14.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. Journal of the ACM 51(4), 557–594 (2004)CrossRefMathSciNetGoogle Scholar
  15. 15.
    Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Chaum, D., van Heyst, E.: Group signatures. In: Davies, D.W. (ed.) EUROCRYPT 1991. LNCS, vol. 547, pp. 257–265. Springer, Heidelberg (1991)Google Scholar
  17. 17.
    Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  18. 18.
    Cramer, R., Shoup, V.: Signature schemes based on the strong rsa assumption. In: ACM CCS 1999, pp. 46–51 (1999)Google Scholar
  19. 19.
    Delerablée, C., Pointcheval, D.: Dynamic fully anonymous short group signatures. In: Nguyên, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 193–210. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  21. 21.
    Fuchsbauer, G., Pointcheval, D.: Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity for Signatures. In: Shacham, H., Waters, B. (eds.) Pairing 2009. LNCS, vol. 5671, pp. 132–149. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  22. 22.
    Goldwasser, S., Tauman-Kalai, Y.: On the (In)security of the Fiat-Shamir Paradig. In: FOCS 2003, pp. 102–115 (2003)Google Scholar
  23. 23.
    Groth, J.: Simulation-sound NIZK proofs for a practical language and constant size group signatures. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 444–459. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Groth, J.: Fully anonymous group signatures without random oracles. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 164–180. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Groth, J.: Homomorphic trapdoor commitments to group elements. Cryptology ePrint Archive: Report 2009/007 (2009)Google Scholar
  26. 26.
    Groth, J., Lu, S.: A non-interactive shuffle with pairing based verifiability. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 51–67. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Halevi, S.: A Sufficient Condition for Key-Privacy. Cryptology ePrint Archive: Report 2005/005 (2005)Google Scholar
  29. 29.
    Kiayias, A., Tsiounis, Y., Yung, M.: Group encryption. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 181–199. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  30. 30.
    Kiayias, A., Yung, M.: Group signatures with efficient concurrent join. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 198–214. Springer, Heidelberg (2005)Google Scholar
  31. 31.
    Kiltz, E.: Chosen-ciphertext security from tag-based encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 581–600. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Krawczyk, H., Rabin, T.: Chameleon signatures. In: NDSS 2000 (2000)Google Scholar
  33. 33.
    Kunz-Jacques, S., Pointcheval, D.: About the security of MTI/C0 and MQV. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 156–172. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  34. 34.
    Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: STOC 1989, pp. 33–43 (1989)Google Scholar
  35. 35.
    Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  36. 36.
    Qin, B., Wu, Q., Susilo, W., Mu, Y., Wang, Y.: Publicly Verifiable Privacy-Preserving Group Decryption. In: Moti, Y., Liu, P., Lin, D. (eds.) Inscrypt 2008. LNCS, vol. 5487, pp. 72–83. Springer, Heidelberg (2008)Google Scholar
  37. 37.
    Shacham, H.: A Cramer-Shoup encryption scheme from the linear assumption and from progressively weaker linear variants. Cryptology ePrint Archive: Report 2007/074 (2007)Google Scholar
  38. 38.
    Shoup, V.: A proposal for the ISO standard for public-key encryption (version 2.1). manuscript (2001), http://shoup.net/

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Julien Cathalo
    • 1
  • Benoît Libert
    • 1
  • Moti Yung
    • 2
  1. 1.Université catholique de Louvain, Crypto GroupBelgium
  2. 2.Google Inc. and Columbia UniversityUSA

Personalised recommendations