Group encryption: full dynamicity, message filtering and code-based instantiation. (English) Zbl 07873161
Summary: Group encryption (GE), introduced by Kiayias, Tsiounis and Yung (Asiacrypt’07), is the encryption analogue of group signatures. It allows to send verifiably encrypted messages satisfying certain requirements to certified members of a group, while keeping the anonymity of the receivers. Similar to the tracing mechanism in group signatures, the receiver of any ciphertext can be identified by an opening authority – should the needs arise. The primitive of GE is motivated by a number of interesting privacy-preserving applications, including the filtering of encrypted emails sent to certified members of an organization.
This paper aims to improve the state-of-affairs of GE systems. Our first contribution is the formalization of fully dynamic group encryption (FDGE) – a GE system simultaneously supporting dynamic user enrolments and user revocations. The latter functionality for GE has not been considered so far. As a second contribution, we realize the message filtering feature for GE based on a list of \(t\)-bit keywords and 2 commonly used policies: “permissive” – accept the message if it contains at least one of the keywords as a substring; “prohibitive” – accept the message if all of its \(t\)-bit substrings are at Hamming distance at least \(d\) from all keywords, for \(d \geq 1\). This feature so far has not been substantially addressed in existing instantiations of GE based on DCR, DDH, pairing-based and lattice-based assumptions. Our third contribution is the first instantiation of GE under code-based assumptions. The scheme is more efficient than the lattice-based construction of Libert et al. (Asiacrypt’16) – which, prior to our work, is the only known instantiation of GE under post-quantum assumptions. Our scheme supports the 2 suggested policies for message filtering, and in the random oracle model, it satisfies the stringent security notions for FDGE that we put forward.
This paper aims to improve the state-of-affairs of GE systems. Our first contribution is the formalization of fully dynamic group encryption (FDGE) – a GE system simultaneously supporting dynamic user enrolments and user revocations. The latter functionality for GE has not been considered so far. As a second contribution, we realize the message filtering feature for GE based on a list of \(t\)-bit keywords and 2 commonly used policies: “permissive” – accept the message if it contains at least one of the keywords as a substring; “prohibitive” – accept the message if all of its \(t\)-bit substrings are at Hamming distance at least \(d\) from all keywords, for \(d \geq 1\). This feature so far has not been substantially addressed in existing instantiations of GE based on DCR, DDH, pairing-based and lattice-based assumptions. Our third contribution is the first instantiation of GE under code-based assumptions. The scheme is more efficient than the lattice-based construction of Libert et al. (Asiacrypt’16) – which, prior to our work, is the only known instantiation of GE under post-quantum assumptions. Our scheme supports the 2 suggested policies for message filtering, and in the random oracle model, it satisfies the stringent security notions for FDGE that we put forward.
MSC:
| 68Qxx | Theory of computing |
Keywords:
group encryption; full dynamicity; revocation; anonymity; zero-knowledge; spam filtering; code-based; protocols; string; matchingSoftware:
McElieceReferences:
| [1] | Aimani, L. E.; Joye, M., Toward practical group encryption, (Jr., M. J.J.; Locasto, M. E.; Mohassel, P.; Safavi-Naini, R., ACNS 2013. ACNS 2013, LNCS, vol. 7954, 2013, Springer), 237-252 · Zbl 1300.94053 |
| [2] | Alamélou, Q.; Blazy, O.; Cauchie, S.; Gaborit, P., A code-based group signature scheme, Des. Codes Cryptogr., 82, 1-2, 469-493, 2017 · Zbl 1357.81071 |
| [3] | Applebaum, B.; Haramaty, N.; Ishai, Y.; Kushilevitz, E.; Vaikuntanathan, V., Low-complexity cryptographic hash functions, (ITCS 2017. ITCS 2017, LIPIcs, vol. 67, 2017, Schloss Dagstuhl - Leibniz-Zentrum für Informatik), Article 7 pp. · Zbl 1402.94051 |
| [4] | Augot, D.; Finiasz, M.; Sendrier, N., A fast provably secure cryptographic hash function, IACR Cryptol. ePrint Arch., 2003, 230, 2003 |
| [5] | Augot, D.; Finiasz, M.; Sendrier, N., A family of fast syndrome based cryptographic hash functions, (Mycrypt 2005. Mycrypt 2005, LNCS, vol. 3715, 2005, Springer), 64-83 · Zbl 1126.94320 |
| [6] | Becker, A.; Joux, A.; May, A.; Meurer, A., Decoding random binary linear codes in 2 n/20: How 1 + 1 = 0 improves information set decoding, (EUROCRYPT 2012. EUROCRYPT 2012, LNCS, vol. 7237, 2012, Springer), 520-536 · Zbl 1291.94206 |
| [7] | Bellare, M.; Boldyreva, A.; Desai, A.; Pointcheval, D., Key-privacy in public-key encryption, (ASIACRYPT 2001. ASIACRYPT 2001, LNCS, vol. 2248, 2001, Springer), 566-582 · Zbl 1064.94553 |
| [8] | Bellare, M.; Micciancio, D.; Warinschi, B., Foundations of group signatures: formal definitions, simplified requirements, and a construction based on general assumptions, (EUROCRYPT 2003. EUROCRYPT 2003, LNCS, vol. 2656, 2003, Springer), 614-629 · Zbl 1038.94552 |
| [9] | Bellare, M.; Shi, H.; Zhang, C., Foundations of group signatures: the case of dynamic groups, (CT-RSA 2005. CT-RSA 2005, LNCS, vol. 3376, 2005, Springer), 136-153 · Zbl 1079.94013 |
| [10] | Benaloh, J. C.; de Mare, M., One-way accumulators: a decentralized alternative to digital signatures (extended abstract), (EUROCRYPT 1993. EUROCRYPT 1993, LNCS, vol. 765, 1993, Springer), 274-285 · Zbl 0951.94532 |
| [11] | Benhamouda, F.; Camenisch, J.; Krenn, S.; Lyubashevsky, V.; Neven, G., Better zero-knowledge proofs for lattice encryption and their application to group signatures, (ASIACRYPT 2014. ASIACRYPT 2014, LNCS, vol. 8873, 2014, Springer), 551-572 · Zbl 1306.94026 |
| [12] | Bernstein, D. J.; Lange, T.; Peters, C.; Schwabe, P., Faster 2-regular information-set decoding, (IWCC 2011. IWCC 2011, LNCS, vol. 6639, 2011, Springer), 81-98 · Zbl 1272.94096 |
| [13] | Boneh, D.; Shacham, H., Group signatures with verifier-local revocation, (CCS 2004, 2004, ACM), 168-177 |
| [14] | Boneh, D.; Sahai, A.; Waters, B., Functional encryption: a new vision for public-key cryptography, Commun. ACM, 55, 11, 56-64, 2012 |
| [15] | Bootle, J.; Cerulli, A.; Chaidos, P.; Ghadafi, E.; Groth, J., Foundations of fully dynamic group signatures, J. Cryptol., 33, 4, 1822-1870, 2020 · Zbl 1453.94063 |
| [16] | Branco, P.; Mateus, P., A code-based linkable ring signature scheme, (ProvSec 2018. ProvSec 2018, LNCS, vol. 11192, 2018, Springer), 203-219 · Zbl 1421.94083 |
| [17] | Brassard, G.; Chaum, D.; Crépeau, C., Minimum disclosure proofs of knowledge, J. Comput. Syst. Sci., 37, 2, 156-189, 1988 · Zbl 0656.68109 |
| [18] | Bresson, E.; Stern, J., Efficient revocation in group signatures, (PKC 2001. PKC 2001, LNCS, vol. 1992, 2001, Springer), 190-206 · Zbl 0993.94553 |
| [19] | Brickell, E. F.; Pointcheval, D.; Vaudenay, S.; Yung, M., Design validations for discrete logarithm based signature schemes, (PKC 2000. PKC 2000, LNCS, vol. 1751, 2000, Springer), 276-292 · Zbl 0969.94026 |
| [20] | Camenisch, J.; Lysyanskaya, A., Dynamic accumulators and application to efficient revocation of anonymous credentials, (Yung, M., CRYPTO 2002. CRYPTO 2002, LNCS, vol. 2442, 2002, Springer), 61-76 · Zbl 1026.94545 |
| [21] | Cathalo, J.; Libert, B.; Yung, M., Group encryption: non-interactive realization in the standard model, (ASIACRYPT 2009. ASIACRYPT 2009, LNCS, vol. 5912, 2009, Springer), 179-196 · Zbl 1267.94049 |
| [22] | Cayrel, P.; Hoffmann, G.; Persichetti, E., Efficient implementation of a cca2-secure variant of McEliece using generalized Srivastava codes, (PKC 2012. PKC 2012, LNCS, vol. 7293, 2012, Springer), 138-155 · Zbl 1290.94053 |
| [23] | Chaum, D.; van Heyst, E., Group signatures, (EUROCRYPT 1991. EUROCRYPT 1991, LNCS, vol. 547, 1991, Springer), 257-265 · Zbl 0791.68044 |
| [24] | Dallot, L.; Vergnaud, D., Provably secure code-based threshold ring signatures, (IMACC 2009. IMACC 2009, LNCS, vol. 5921, 2009, Springer), 222-235 · Zbl 1234.94037 |
| [25] | Döttling, N.; Dowsley, R.; Müller-Quade, J.; Nascimento, A. C.A., A CCA2 secure variant of the McEliece cryptosystem, IEEE Trans. Inf. Theory, 58, 10, 6672-6680, 2012 · Zbl 1364.94534 |
| [26] | Ezerman, M. F.; Lee, H. T.; Ling, S.; Nguyen, K.; Wang, H., A provably secure group signature scheme from code-based assumptions, (ASIACRYPT 2015. ASIACRYPT 2015, LNCS, vol. 9452, 2015, Springer), 260-285 · Zbl 1396.94075 |
| [27] | Ezerman, M. F.; Lee, H. T.; Ling, S.; Nguyen, K.; Wang, H., Provably secure group signature schemes from code-based assumptions, IEEE Trans. Inf. Theory, 66, 9, 5754-5773, 2020 · Zbl 1448.94242 |
| [28] | Fiat, A.; Shamir, A., How to prove yourself: practical solutions to identification and signature problems, (CRYPTO 1986. CRYPTO 1986, LNCS, vol. 263, 1986, Springer), 186-194 · Zbl 0636.94012 |
| [29] | Gentry, C., Fully homomorphic encryption using ideal lattices, (STOC 2009, 2009, ACM), 169-178 · Zbl 1304.94059 |
| [30] | Goldreich, O.; Micali, S.; Wigderson, A., How to prove all np-statements in zero-knowledge, and a methodology of cryptographic protocol design, (CRYPTO 1986. CRYPTO 1986, LNCS, vol. 263, 1986, Springer), 171-185 · Zbl 0636.94010 |
| [31] | Goldwasser, S.; Micali, S.; Rackoff, C., The knowledge complexity of interactive proof systems, SIAM J. Comput., 18, 1, 186-208, 1989 · Zbl 0677.68062 |
| [32] | Goyal, V.; Pandey, O.; Sahai, A.; Waters, B., Attribute-based encryption for fine-grained access control of encrypted data, (CCS 2006, 2006, ACM), 89-98 |
| [33] | Izabachène, M.; Pointcheval, D.; Vergnaud, D., Mediated traceable anonymous encryption, (LATINCRYPT 2010. LATINCRYPT 2010, LNCS, vol. 6212, 2010, Springer), 40-60 · Zbl 1285.94071 |
| [34] | Jain, A.; Krenn, S.; Pietrzak, K.; Tentes, A., Commitments and efficient zero-knowledge proofs from learning parity with noise, (ASIACRYPT 2012. ASIACRYPT 2012, LNCS, vol. 7658, 2012, Springer), 663-680 · Zbl 1292.94082 |
| [35] | Kiayias, A.; Tsiounis, Y.; Yung, M., Traceable signatures, (EUROCRYPT 2004. EUROCRYPT 2004, LNCS, vol. 3027, 2004, Springer), 571-589 · Zbl 1122.94427 |
| [36] | Kiayias, A.; Tsiounis, Y.; Yung, M., Group encryption, (ASIACRYPT 2007. ASIACRYPT 2007, LNCS, vol. 4833, 2007, Springer), 181-199 · Zbl 1153.94399 |
| [37] | Kobara, K.; Imai, H., Semantically secure McEliece public-key cryptosystems-conversions for McEliece PKC, (PKC 2001. PKC 2001, LNCS, vol. 1992, 2001, Springer), 19-35 · Zbl 0988.94021 |
| [38] | Libert, B.; Peters, T.; Yung, M., Scalable group signatures with revocation, (EUROCRYPT 2012. EUROCRYPT 2012, LNCS, vol. 7237, 2012, Springer), 609-627 · Zbl 1296.94155 |
| [39] | Libert, B.; Peters, T.; Yung, M., Group signatures with almost-for-free revocation, (CRYPTO 2012. CRYPTO 2012, LNCS, vol. 7417, 2012, Springer), 571-589 · Zbl 1296.94156 |
| [40] | Libert, B.; Yung, M.; Joye, M.; Peters, T., Traceable group encryption, (PKC 2014. PKC 2014, LNCS, vol. 8383, 2014, Springer), 592-610 · Zbl 1300.94079 |
| [41] | Libert, B.; Ling, S.; Mouhartem, F.; Nguyen, K.; Wang, H., Signature schemes with efficient protocols and dynamic group signatures from lattice assumptions, (ASIACRYPT 2016. ASIACRYPT 2016, LNCS, vol. 10032, 2016), 373-403 · Zbl 1407.94136 |
| [42] | Libert, B.; Ling, S.; Nguyen, K.; Wang, H., Zero-knowledge arguments for lattice-based accumulators: logarithmic-size ring signatures and group signatures without trapdoors, (EUROCRYPT 2016. EUROCRYPT 2016, LNCS, vol. 9666, 2016, Springer), 1-31 · Zbl 1369.94552 |
| [43] | Libert, B.; Ling, S.; Mouhartem, F.; Nguyen, K.; Wang, H., Zero-knowledge arguments for matrix-vector relations and lattice-based group encryption, Theor. Comput. Sci., 759, 72-97, 2019 · Zbl 1423.94085 |
| [44] | Libert, B.; Ling, S.; Mouhartem, F.; Nguyen, K.; Wang, H., Adaptive oblivious transfer with access control from lattice assumptions, Theor. Comput. Sci., 891, 210-229, 2021 · Zbl 1517.94124 |
| [45] | Ling, S.; Nguyen, K.; Stehlé, D.; Wang, H., Improved zero-knowledge proofs of knowledge for the ISIS problem, and applications, (PKC 2013. PKC 2013, LNCS, vol. 7778, 2013, Springer), 107-124 · Zbl 1314.94087 |
| [46] | Ling, S.; Nguyen, K.; Wang, H.; Xu, Y., Accountable tracing signatures from lattices, (CT-RSA 2019. CT-RSA 2019, LNCS, vol. 11405, 2019, Springer), 556-576 · Zbl 1453.94099 |
| [47] | Ling, S.; Nguyen, K.; Wang, H.; Xu, Y., Lattice-based group signatures: achieving full dynamicity (and deniability) with ease, Theor. Comput. Sci., 783, 71-94, 2019 · Zbl 1455.94213 |
| [48] | Liu, H.; Wang, X.; Yang, K.; Yu, Y., The hardness of LPN over any integer ring and field for PCG applications, (Eurocrypt 2024. Eurocrypt 2024, LNCS, vol. 14656, 2024, Springer), 149-179 |
| [49] | Lyubashevsky, V.; Micciancio, D., Asymptotically efficient lattice-based digital signatures, J. Cryptol., 31, 3, 774-797, 2018 · Zbl 1400.94165 |
| [50] | Lyubashevsky, V.; Peikert, C.; Regev, O., On ideal lattices and learning with errors over rings, J. ACM, 60, 6, Article 43 pp., 2013 · Zbl 1281.68140 |
| [51] | McEliece, R. J., A public-key cryptosystem based on algebraic coding theory, Coding Thv, 4244, 114-116, 1978 |
| [52] | Melchor, C. A.; Cayrel, P.; Gaborit, P., A new efficient threshold ring signature scheme based on coding theory, (PQCrypto 2008. PQCrypto 2008, LNCS, vol. 5299, 2008, Springer), 1-16 · Zbl 1177.94178 |
| [53] | Melchor, C. A.; Cayrel, P.; Gaborit, P.; Laguillaumie, F., A new efficient threshold ring signature scheme based on coding theory, IEEE Trans. Inf. Theory, 57, 7, 4833-4842, 2011 · Zbl 1365.94396 |
| [54] | Morozov, K.; Takagi, T., Zero-knowledge protocols for the McEliece encryption, (ACISP 2012. ACISP 2012, LNCS, vol. 7372, 2012, Springer), 180-193 · Zbl 1305.94067 |
| [55] | Nakanishi, T.; Fujii, H.; Hira, Y.; Funabiki, N., Revocable group signature schemes with constant costs for signing and verifying, (PKC 2009. PKC 2009, LNCS, vol. 5443, 2009, Springer), 463-480 · Zbl 1227.94081 |
| [56] | Naor, M.; Yung, M., Public-key cryptosystems provably secure against chosen ciphertext attacks, (STOC 1990, 1990, ACM), 427-437 |
| [57] | Nguyen, K.; Tang, H.; Wang, H.; Zeng, N., New code-based privacy-preserving cryptographic constructions, (ASIACRYPT 2019. ASIACRYPT 2019, LNCS, vol. 11922, 2019, Springer), 25-55 · Zbl 1455.94184 |
| [58] | Nguyen, K.; Safavi-Naini, R.; Susilo, W.; Wang, H.; Xu, Y.; Zeng, N., Group encryption: full dynamicity, message filtering and code-based instantiation, (PKC 2021. PKC 2021, LNCS, vol. 12711, 2021, Springer), 678-708 · Zbl 1479.94235 |
| [59] | Nojima, R.; Imai, H.; Kobara, K.; Morozov, K., Semantic security for the McEliece cryptosystem without random oracles, Des. Codes Cryptogr., 49, 1-3, 289-305, 2008 · Zbl 1196.94062 |
| [60] | Regev, O., On lattices, learning with errors, random linear codes, and cryptography, J. ACM, 56, 6, Article 34 pp., 2009 · Zbl 1325.68101 |
| [61] | Rivest, R. L.; Shamir, A.; Tauman, Y., How to leak a secret, (ASIACRYPT 2001. ASIACRYPT 2001, LNCS, vol. 2248, 2001, Springer), 552-565 · Zbl 1064.94558 |
| [62] | Shor, P. W., Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Comput., 26, 5, 1484-1509, 1997 · Zbl 1005.11065 |
| [63] | Stern, J., A new paradigm for public key identification, IEEE Trans. Inf. Theory, 42, 6, 1757-1768, 1996 · Zbl 0944.94008 |
| [64] | Trolin, M.; Wikström, D., Hierarchical group signatures, (ICALP 2005. ICALP 2005, LNCS, vol. 3580, 2005, Springer), 446-458 · Zbl 1082.94546 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
