[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Log in

Timed-release computational secret sharing and threshold encryption

  • Published:
Designs, Codes and Cryptography Aims and scope Submit manuscript

Abstract

In modern cryptography, a secret sharing scheme is an important cryptographic primitive. In particular, Krawczyk proposed a computational secret sharing (CSS) scheme, which is a practical, simple secret sharing scheme. In this paper, we focus on a CSS scheme with timed-release functionality, which we call a timed-release computational secret sharing (TR-CSS) scheme. In TR-CSS, participants more than or equal to a threshold number can reconstruct a secret by using their shares only when the time specified by a dealer has come. Our main purpose is to realize a TR-CSS scheme in a generic and efficient way in terms of the share size. Specifically, we first introduce a model and formalization of security of TR-CSS. In addition, we propose two kinds of constructions of TR-CSS: the first one is a simple and generic construction starting from an identity-based key encapsulation mechanism (IB-KEM); the second one, which is a more efficient construction than the first one, is built using a specific IB-KEM as the underlying IB-KEM. As a result, we can regard TR-CSS as a natural extension of Krawczyk’s CSS in terms of both a model and constructions, and we finally succeed to add timed-release functionality to Krawczyk’s CSS with small overhead, which is almost optimal. Moreover, our proposal of TR-CSS is important for constructing threshold encryption and multiple encryption with timed-release functionality in a generic and efficient way. Dodis and Katz showed (i) a simple and generic construction of threshold encryption from multiple encryption; and (ii) a simple, elegant and generic construction of multiple encryption. By using TR-CSS, we can effectively apply the Dodis–Katz paradigm even in the context of timed-release security.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Similar content being viewed by others

Notes

  1. The ciphertext size in the underlying IB-KEM leads directly to the share size of the resulting TR-CSS scheme.

  2. SS schemes with the (kn)-threshold access structure is traditionally called (kn)-threshold SS schemes.

  3. The notion of FTG-CPA will be described in Sect. 2.5.

  4. For the rest of this paper, in each scheme, we omit a security parameter \(1^{\kappa }\) from all algorithms except for a setup (or key generation) algorithm as input, if it is clear from the context.

  5. In this game, we consider \({\mathcal {W}}={\mathcal {P}}\) (not a proper subset of \({\mathcal {P}}\)), since we want to focus on the strongest security.

  6. For formal definitions of ME, PKE, and OTS, see Appendix 1.

  7. Our goal is to keep confidentiality until the specified time comes. Therefore, we do not consider replacing OTS schemes.

  8. To be precise, an IND-CCA secure tag-KEM [1] and a DEM. However, we simplify our description here for the easy-to-understand explanation since an IND-CCA secure PKE scheme can be constructed from these primitives.

  9. As mentioned in [22], it is only necessary to consider a notion of “CPA” for insider security, since an adversary has all secret keys and hence he can decrypt ciphertexts by access to a time-signals generation oracle.

  10. In timed-release cryptography, it is usually assumed that the time-server always generates and broadcasts time-signals correctly, however tries to get some information on the underlying plaintexts from transmitted ciphertexts. Such an adversary is often called the curious one.

References

  1. Abe M., Gennaro R., Kurosawa K., Shoup V.: Tag-KEM/DEM: a new framework for hybrid encryption and a new analysis of Kurosawa-Desmedt KEM. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005, vol. 3494, pp. 128–146. Springer, Berlin (2005).

    Chapter  Google Scholar 

  2. Alkassar A., Geraldy A., Pfitzmann B., Sadeghi A.R.: Optimized self-synchronizing mode of operation. In: Matsui M. (ed.) Fast Software Encryption 2001, vol. 2355, pp. 78–91. Springer, Berlin (2002).

    Chapter  Google Scholar 

  3. Béguin P., Cresti A.: General short computational secret sharing schemes. In: Guillou L., Quisquater J.J. (eds.) Advances in Cryptology—EUROCRYPT ’95, vol. 921, pp. 194–208. Springer, Berlin (1995).

    Google Scholar 

  4. Bellare M., Desai A., Jokipii E., Rogaway P.: A concrete security treatment of symmetric encryption. In: 38th Annual Symposium on Foundations of Computer Science, pp. 394–403 (1997). doi:10.1109/SFCS.1997.646128.

  5. Benaloh J., Leichter J.: Generalized secret sharing and monotone functions. In: Goldwasser S. (ed.) Advances in Cryptology—CRYPTO’ 88, vol. 403, pp. 27–35. Springer, New York (1990).

    Chapter  Google Scholar 

  6. Bentahar K., Farshim P., Malone-Lee J., Smart N.: Generic constructions of identity-based and certificateless KEMs. J. Cryptol. 21(2), 178–199 (2008).

    Article  MathSciNet  MATH  Google Scholar 

  7. Blakley G.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317. AFIPS Press, Monval (1979).

  8. Blakley B., Blakley G., Chan A., Massey J.: Threshold schemes with disenrollment. In: Brickell E. (ed.) Advances in Cryptology—CRYPTO’ 92, vol. 740, pp. 540–548. Springer, Berlin (1993).

    Google Scholar 

  9. Blaze M., Bleumer G., Strauss M.: Divertible protocols and atomic proxy cryptography. In: Nyberg K. (ed.) Advances in Cryptology—EUROCRYPT’98, vol. 1403, pp. 127–144. Springer, Berlin (1998).

    Google Scholar 

  10. Blundo C., Cresti A., Santis A., Vaccaro U.: Fully dynamic secret sharing schemes. In: Stinson D. (ed.) Advances in Cryptology—CRYPTO’ 93, vol. 773, pp. 110–125. Springer, Berlin (1994).

    Chapter  Google Scholar 

  11. Boneh D., Franklin M.: Identity-based encryption from the Weil pairing. In: Kilian J. (ed.) Advances in Cryptology—CRYPTO 2001, vol. 2139, pp. 213–229. Springer, Berlin (2001).

    Chapter  Google Scholar 

  12. Boneh D., Naor M.: Timed commitments. In: Bellare M. (ed.) Advances in Cryptology—CRYPTO 2000, vol. 1880, pp. 236–254. Springer, Berlin (2000).

    Chapter  Google Scholar 

  13. Boneh D., Di Crescenzo G., Ostrovsky R., Persiano G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J. (eds.) Advances in Cryptology—EUROCRYPT 2004. Lecture Notes in Computer Science, vol. 3027, pp. 506–522. Springer, Berlin (2004).

  14. Boneh D., Boyen X., Halevi S.: Chosen ciphertext secure public key threshold encryption without random oracles. In: Pointcheval D. (ed.) Topics in Cryptology—CT-RSA 2006, vol. 3860, pp. 226–243. Springer, Berlin (2006). doi:10.1007/11605805_15.

    Chapter  Google Scholar 

  15. Cachin C.: On-line secret sharing. In: Boyd C. (ed.) Cryptography and Coding, vol. 1025, pp. 190–198. Springer, Berlin (1995).

    Chapter  Google Scholar 

  16. Cathalo J., Libert B., Quisquater J.J.: Efficient and non-interactive timed-release encryption. In: Qing S., Mao W., López J., Wang G. (eds.) Information and Communications Security, vol. 3783, pp. 291–303. Springer, Berlin (2005).

    Chapter  Google Scholar 

  17. Chalkias K., Hristu-Varsakelis D., Stephanides G.: Improved anonymous timed-release encryption. In: Biskup J., López J. (eds.) Computer Security—ESORICS 2007, vol. 4734, pp. 311–326. Springer, Berlin (2007).

    Chapter  Google Scholar 

  18. Chan A.F., Blake I.: Scalable, server-passive, user-anonymous timed release cryptography. In: the 25th IEEE International Conference on Distributed Computing Systems, ICDCS 2015, pp. 504–513 (2005).

  19. Cheon J.H., Hopper N., Kim Y., Osipkov I.: Provably secure timed-release public key encryption. ACM Trans. Inf. Syst. Secur. 11(2), 4:1–4:44 (2008). doi:10.1145/1330332.1330336.

    Article  MATH  Google Scholar 

  20. Cramer R., Gennaro R., Schoenmakers B.: A secure and optimally efficient multi-authority election scheme. In: Fumy W. (ed.) Advances in Cryptology—EUROCRYPT ’97, pp. 103–118. Springer, Berlin (1997).

    Google Scholar 

  21. Cramer R., Damgård I., Nielsen J.B.: Multiparty computation from threshold homomorphic encryption. In: Pfitzmann B. (ed.) Advances in Cryptology—EUROCRYPT 2001, pp. 280–300. Springer, Berlin (2001).

    Chapter  Google Scholar 

  22. Dent A., Tang Q.: Revisiting the security model for timed-release encryption with pre-open capability. In: Garay J., Lenstra A., Mambo M., Peralta R. (eds.) Information Security, vol. 4779, pp. 158–174. Springer, Berlin (2007).

    Chapter  Google Scholar 

  23. Dodis Y., Katz J.: Chosen-ciphertext security of multiple encryption. In: Kilian J. (ed.) Theory of Cryptography, vol. 3378, pp. 188–209. Springer, Berlin (2005).

    Chapter  Google Scholar 

  24. Garay J., Jakobsson M.: Timed release of standard digital signatures. In: Blaze M. (ed.) Financial Cryptography, vol. 2357, pp. 168–182. Springer, Berlin (2003).

    Chapter  Google Scholar 

  25. Garay J., Pomerance C.: Timed fair exchange of standard signatures. In: Wright R. (ed.) Financial Cryptography, vol. 2742, pp. 190–207. Springer, Berlin (2003).

    Chapter  Google Scholar 

  26. Groth J.: Non-interactive zero-knowledge arguments for voting. In: Ioannidis J., Keromytis A., Yung M. (eds.) Applied Cryptography and Network Security, pp. 467–482. Springer, Berlin (2005).

    Chapter  Google Scholar 

  27. Herzberg A., Jarecki S., Krawczyk H., Yung M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith D. (ed.) Advances in Cryptology—CRYPTO ’95, vol. 963, pp. 339–352. Springer, Berlin (1995).

    Google Scholar 

  28. Ito M., Saito A., Nishizeki T.: Secret sharing scheme realizing general access structure. In: IEEE Globecom’87, pp. 99–102 (1987).

  29. Karnin E., Greene J., Hellman M.: On secret sharing systems. IEEE Trans. Inf. Theory 29(1), 35–41 (1983).

    Article  MathSciNet  MATH  Google Scholar 

  30. Kiltz E., Galindo D.: Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. In: Batten L., Safavi-Naini R. (eds.) Information Security and Privacy, vol. 4058, pp. 336–347. Springer, Berlin (2006).

    Chapter  Google Scholar 

  31. Kiltz E., Galindo D.: Direct chosen-ciphertext secure identity-based key encapsulation without random oracles. Theor. Comput. Sci. 410(47–49), 5093–5111 (2009).

    Article  MathSciNet  MATH  Google Scholar 

  32. Krawczyk H.: Secret sharing made short. In: Stinson D. (ed.) Advances in Cryptology—CRYPTO ’93, vol. 773, pp. 136–146. Springer, Berlin (1994).

    Google Scholar 

  33. Matsuda T., Nakai Y., Matsuura K.: Efficient generic constructions of timed-release encryption with pre-open capability. In: Joye M., Miyaji A., Otsuka A. (eds.) Pairing-Based Cryptography—Pairing 2010, vol. 6487, pp. 225–245. Springer, Berlin (2010).

    Chapter  Google Scholar 

  34. May T.: Timed-release crypto. Manuscript (1993).

  35. Merkle R.C., Hellman M.E.: On the security of multiple encryption. Commun. ACM 24(7), 465–467 (1981). doi:10.1145/358699.358718.

    Article  MathSciNet  Google Scholar 

  36. Nakai Y., Matsuda T., Kitada W., Matsuura K.: A generic construction of timed-release encryption with pre-open capability. In: Takagi T., Mambo M. (eds.) Advances in Information and Computer Security, vol. 5824, pp. 53–70. Springer, Berlin (2009).

    Chapter  Google Scholar 

  37. Rabin M.: The information dispersal algorithm and its applications. In: Capocelli R. (ed.) Sequences, pp. 406–419. Springer, New York (1990).

    Chapter  Google Scholar 

  38. Rabin M.O.: Efficient dispersal of information for security, load balancing, and fault tolerance. J. ACM 36(2), 335–348 (1989).

    Article  MathSciNet  MATH  Google Scholar 

  39. Rivest R.L., Shamir A., Wagner D.A.: Time-lock puzzles and timed-release crypto. Tech. Rep. Technical memo MIT/LCS/TR-684, MIT Laboratory for Computer Science (1996). (Revision 3/10/96).

  40. Rogaway P., Bellare M.: Robust computational secret sharing and a unified account of classical secret-sharing goals. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS ’07, pp. 172–184. ACM, New York (2007). doi:10.1145/1315245.1315268.

  41. Shamir A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). doi:10.1145/359168.359176.

    Article  MathSciNet  MATH  Google Scholar 

  42. Shoup V.: A proposal for an ISO standard for public key encryption. Cryptology ePrint Archive, Report 2001/112 (2001). http://eprint.iacr.org/.

  43. Shoup V., Gennaro R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg K. (ed.) Advances in Cryptology—EUROCRYPT ’98, vol. 1403, pp. 1–16. Springer, Berlin (1998).

    Google Scholar 

  44. Sung J., Lee S., Lim J., Lee W., Yi O.: Concrete security analysis of CTR-OFB and CTR-CFB modes of operation. In: Kim K. (ed.) Information Security and Cryptology—ICISC 2001, vol. 2288, pp. 103–113. Springer, Berlin (2002).

    Chapter  Google Scholar 

  45. Watanabe Y., Shikata J.: Timed-release computational secret sharing scheme and its applications. In: Chow S., Liu J., Hui L., Yiu S. (eds.) Provable Security, vol. 8782, pp. 326–333. Springer International Publishing, New York (2014).

    Google Scholar 

  46. Watanabe Y., Shikata J.: Timed-release secret sharing schemes with information theoretic security. In: Ors B., Preneel B. (eds.) Cryptography and Information Security in the Balkans, vol. 9024, pp. 219–236. Springer International Publishing, New York (2015).

    Chapter  Google Scholar 

  47. Waters B.: Efficient identity-based encryption without random oracles. In: Cramer R. (ed.) Advances in Cryptology—EUROCRYPT 2005, vol. 3494, pp. 114–127. Springer, Berlin (2005).

    Chapter  Google Scholar 

  48. Wee H.: Déjà Q: Encore! un petit IBE. In: Kushilevitz E., Malkin T. (eds.) Theory of Cryptography, TCC 2016-A, Part II, pp. 237–258. Springer, Berlin (2016).

    Google Scholar 

  49. Zhang R., Hanaoka G., Shikata J., Imai H.: On the security of multiple encryption or CCA-security+CCA-security=CCA-security? In: Bao F., Deng R., Zhou J. (eds.) Public Key Cryptography—PKC 2004, vol. 2947, pp. 360–374. Springer, Berlin (2004).

    Chapter  Google Scholar 

Download references

Acknowledgements

We would like to thank Goichiro Hanaoka and Keita Emura for helpful suggestions to improve the preliminary version of this paper, and Michel Abdalla for his valuable comment for the conference version of this paper. We would also like to than anonymous reviewers for their constructive feedbacks. The first author is supported by JSPS Research Fellowships for Young Scientists. This work (Yohei Watanabe) was supported by Grant-in-Aid for JSPS Fellows Grant Number 25\(\cdot \)3998, This work (Junji Shikata) was conducted under the auspices of the MEXT Program for Promoting the Reform of National Universities.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Yohei Watanabe.

Additional information

Communicated by C. Blundo.

A shorter version appeared in the Proceedings of the 8th International Conference on Provable Security (ProvSec 2014), Hong Kong, October, 2014 [45]. This is the full version.

Appendices

Appendix 1: Definitions

We give several formal definitions.

1.1 Bilinear groups

A (symmetric) bilinear group generator \({\mathcal {G}}\) is an algorithm that takes a security parameter \(\kappa \) as input and outputs a bilinear group \((p, {\mathbb {G}}, {\mathbb {G}}_T, g, e)\), where p is a prime, \({\mathbb {G}}\) and \({\mathbb {G}}_T\) are multiplicative cyclic groups of order p, g is a (random) generator of \({\mathbb {G}}\), and e is an efficiently computable and non-degenerate bilinear map \(e: {\mathbb {G}}\times {\mathbb {G}}\rightarrow {\mathbb {G}}_T\) with the following bilinear property: For any \(u, u',v, v' \in {\mathbb {G}}\), \(e(uu',v)=e(u,v)e(u',v)\) and \(e(u,vv')=e(u,v)e(u,v')\), and for any \(u,v\in {\mathbb {G}}\) and any \(a\in {\mathbb {Z}}_p\), \(e(u^a,v)=e(u,v^a)=e(u,v)^a\).

1.2 Decisional bilinear Diffie–Hellman (DBDH) assumption

Let \({\mathcal {A}}\) be a PPT adversary and we consider \({\mathcal {A}}\)’s advantage against the DBDH problem as follows.

figure j

Definition 13

For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), the DBDH assumption relative to a generator \({\mathcal {G}}\) holds if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {DBDH}}_{{\mathcal {G}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

1.3 Multiple encryption

In ME, a plaintext is encrypted by using independent secret keys or distinct PKE schemes based on different computational assumptions. An ME scheme provides better security than a PKE scheme, since even if underlying assumptions of some component PKE schemes are broken or some of secret keys are leaked, the confidentiality can still be maintained by the remaining PKE schemes (for details, see [23, 35, 49]).

We adopt the model of ME shown by Dodis and Katz [23]. An ME scheme \({\varPi }_{\textsc {me}}\) consists of five-tuple algorithms (M.Gen, M.Enc, Split, M.Dec, M.Combine) defined as follows, where \({\mathcal {M}}_{\textsc {me}}\) is a set of plaintexts determined by a security parameter \(\kappa \).

  • \((EK,{{\varvec{D}}}{{\varvec{K}}})\leftarrow \textsf {M.Gen}(1^{\kappa })\): A probabilistic algorithm for key generation. It takes a security parameter \(\kappa \) as input, and outputs a public key EK and secret keys \({{\varvec{D}}}{{\varvec{K}}}:=(DK_1,\ldots ,DK_n)\).

  • \(C\leftarrow \textsf {M.Enc}_L(EK,M)\): A probabilistic algorithm for encryption. It takes a public key EK, a label L, and a plaintext \(M\in {\mathcal {M}}_{\textsc {me}}\) as input, and then outputs a ciphertext C.

  • \({\varvec{C}}\leftarrow \textsf {Split}_L(EK,C)\): A deterministic algorithm for splitting a ciphertext. It takes a public key EK, a label L, and a ciphertext C as input, and outputs n ciphertext shares \({\varvec{C}}:=(C_1,\ldots ,C_n)\).

  • \(M_i\) or \(\bot \leftarrow \textsf {M.Dec}(DK_{i},C_i)\): A deterministic algorithm for decryption. It takes a secret key \(DK_i\) and a ciphertext share \(C_i\) as inputs, and outputs a decryption share \(M_i\) or \(\bot \).

  • M or \(\bot \leftarrow \textsf {M.Combine}({\varvec{M}})\): A deterministic algorithm for combining decryption shares. It takes all decryption shares \({\varvec{M}}:=(M_1,\ldots ,M_n)\) as input, and outputs the plaintext \(M\in {\mathcal {M}}_{\textsc {me}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {me}}\).

In the above model, we assume that \({\varPi }_{\textsc {me}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all labels L, all \((EK,{{\varvec{D}}}{{\varvec{K}}})\leftarrow \textsf {M.Gen}(1^{\kappa })\) and all \(M\in {\mathcal {M}}_{\textsc {me}}\), it holds that

$$\begin{aligned}&M\leftarrow \textsf {M.Combine}(\varvec{DEC}(\textsf {Split}_L(EK,\textsf {M.Enc}_L(EK,M)))), \end{aligned}$$

where \(\varvec{DEC}({\varvec{C}}):=(\textsf {M.Dec}(DK_{1},C_1),\ldots ,\textsf {M.Dec}(DK_{n},C_n))\) for \((C_1,\ldots ,C_n)\leftarrow \textsf {Split}_L(EK,\) \(\textsf {M.Enc}_L(EK,M))\).

Table 1 Oracles in the IND-X game

We describe notions of indistinguishability against the following four attacks defined by Dodis and Katz [23]: multiple chosen plaintext attack (IND-MCPA), weak multiple chosen ciphertext attack (IND-wMCCA), multiple chosen ciphertext attack (IND-MCCA), and strong multiple chosen ciphertext attack (IND-sMCCA). Let \({\mathcal {A}}\) be a PPT adversary, and let X \(\in \){MCPA,wMCCA,MCCA,sMCCA}. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-X security is defined by

figure k

Here, we require \(|M_{0}^*|=|M_{1}^*|\), and st is state information. \(\textit{Corrupt}(\cdot )\) is a corrupt oracle which takes an ID i as input, and then \({\mathcal {W}}\leftarrow {\mathcal {W}}\cup \{P_i\}\) and returns \(DK_i\). \({\mathcal {A}}\) can query to \(\textit{Corrupt}(\cdot )\) until \(|{\mathcal {W}}|=d\). In addition, \({\mathcal {O}}\) is an oracle corresponding to attacks (see Table 1). \({\mathcal {A}}\) is allowed to access the above oracle at most \(q_{c}\) times at any time, however it cannot submit the target ciphertext \(C^*\) to \({\mathcal {O}}\). In addition to this, we need to add two restrictions in the IND-sMCCA game. First, \({\mathcal {A}}\) cannot submit \((i, C_i^*)\), where \(C^*_i\in \varvec{C^*}\) and \(({\varvec{C}}^*,aux)\leftarrow \textsf {Split}_{L^*}(EK,C^*)\). Second, we need the weakly collision-resistant property, which means that any PPT adversary \({\mathcal {A}}\) cannot find \(C'\) such that \(\textsf {Split}_{L}^{(i)}(EK,C)=\textsf {Split}_{L}^{(i)}(EK,C')\) and \(C'\ne C\), where \(\textsf {Split}_{L}^{(i)}(EK,C)\) denotes the i-th output of \(\textsf {Split}_L(EK,C)\) (see [23] for the formal definition).

Definition 14

(Security of ME [23]) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), an ME scheme \({\varPi }_{\textsc {me}}\) is said to be \((d, q_{c}, \epsilon )\)-IND-X secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-X}}_{{\varPi }_{\textsc {me}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where d is the maximum number of secret keys that \({\mathcal {A}}\) can obtain and \(q_{c}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle \({\mathcal {O}}\) in the IND-X game.

1.4 Public key encryption

We consider public key encryption (PKE) with labels as in [42]. Let \({\mathcal {M}}_{\textsc {pke}}\) be a set of plaintexts determined by a security parameter \(\kappa \). A PKE scheme \({\varPi }_{\textsc {pke}}\) consists of three-tuple algorithms (Gen, Enc, Dec) defined as follows.

  • \((pk,sk)\leftarrow \textsf {Gen}(1^{\kappa })\): A probabilistic algorithm for key generation. It takes a security parameter \(\kappa \) as input and outputs a pair of a public key and a secret key (pksk).

  • \(c\leftarrow \textsf {Enc}_L(pk,m)\): An algorithm for encryption. It takes the public key pk, a label L, and a plaintext \(m\in {\mathcal {M}}_{\textsc {pke}}\) as input, and outputs a ciphertext c.

  • m or \(\bot \leftarrow \textsf {Dec}_L(sk,c)\): A deterministic algorithm for decryption. It takes the secret key sk, a label L, and a ciphertext C, and outputs a plaintext \(m\in {\mathcal {M}}_{\textsc {pke}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {pke}}\).

We assume that \({\varPi }_{\textsc {pke}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all labels L, all \((pk,sk)\leftarrow \textsf {Gen}(1^\kappa )\), and all \(m\in {\mathcal {M}}_{\textsc {pke}}\), it holds that \(m\leftarrow \textsf {Dec}_L(sk,\textsf {Enc}_L(pk,m))\).

We describe the notion of indistinguishability against chosen plaintext attack (IND-CPA). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CPA security is defined by

figure l

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information.

Definition 15

(IND-CPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a PKE scheme \({\varPi }_{\textsc {pke}}\) is said to be \(\epsilon \)-IND-CPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\mathsf {IND\textsf {-}CPA}}_{{\varPi }_{\textsc {pke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

Moreover, by taking a decryption oracle into account we can also consider the notion of indistinguishability against chosen ciphertext attack (IND-CCA). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CCA security is defined by

figure m

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information. In addition, \(\textit{Dec}(\cdot ,\cdot )\) is a decryption oracle which takes a pair of a ciphertext and a label c as input, and then returns \(\textsf {Dec}_{L}(sk,c)\). \({\mathcal {A}}\) is allowed to issue arbitrary queries to the above oracle in the chal stage, however, \({\mathcal {A}}\) cannot submit \(c^*\) to the oracle in the guess stage.

Definition 16

(IND-CCA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a PKE scheme \({\varPi }_{\textsc {pke}}\) is said to be \((q_{c}, \epsilon )\)-IND-CCA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\mathsf {IND\textsf {-}CCA}}_{{\varPi }_{\textsc {pke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where \(q_{c}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle in the IND-CCA game.

1.5 One-time signature

Let \({\mathcal {M}}_{\textsc {ots}}\) be a set of messages determined by a security parameter \(\kappa \). A DS scheme \({\varPi }_{\textsc {ots}}\) consists of three-tuple algorithms (KG, Sign, Vrfy) defined as follows.

  • \((vk,sigk)\leftarrow \textsf {KG}(1^{\kappa })\): It takes a security parameter \(\kappa \) and outputs a pair of a verification key and a signing key (vksigk).

  • \(\sigma \leftarrow \textsf {Sign}(sigk,m)\): It takes the signing key sigk and a message \(m\in {\mathcal {M}}_{\textsc {ots}}\) and outputs a signature \(\sigma \).

  • 1 or \(0\leftarrow \textsf {Vrfy}(vk,m,\sigma )\): It takes the verification key vk and a pair of a message and a signature \((m,\sigma )\), and then outputs 1 if it accepts them, otherwise it outputs 0.

We assume that \({\varPi }_{\textsc {ds}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all \((vk,sigk)\leftarrow \textsf {KG}(1^\kappa )\), and all \(m\in {\mathcal {M}}_{\textsc {ds}}\), it holds that \(1\leftarrow \textsf {Vrfy}(vk,m,\textsf {Sign}(sigk,m))\).

We describe the notion of strong unforgeability against a one-time attack (sUF-OT). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the UF-CMA security is defined by

$$\begin{aligned} Adv^{\textsf {UF-CMA}}_{{\varPi }_{\textsc {ds}},{\mathcal {A}}}(\kappa ):= \Pr \left[ \begin{array}{l|l} \textsf {Vrfy}(vk,m^*,\sigma ^*)\rightarrow 1 &{} \ (vk,sigk)\leftarrow \textsf {KG}(1^\kappa ), \\ \wedge \ m^*\notin \{m_i\}_{i=1}^{q} &{} (m^*,\sigma ^*)\leftarrow {\mathcal {A}}^{\textit{Sign}(\cdot )}(vk) \end{array} \right] , \end{aligned}$$

where \(\textit{Sign}\) is a signing oracle which takes a message \(m\in {\mathcal {M}}_{\textsc {ots}}\) as input and returns \(\textsf {Sign}(sigk,m)\). \({\mathcal {A}}\) is allowed to access Sign only once. Formally, the OTS scheme is defined as follows.

Definition 17

(sUF-OT) If a DS scheme \({\varPi }_{\textsc {ds}}\) is \((1, \epsilon )\)-sUF-CMA secure, then it is also \(\epsilon \)-sUF-OT secure.

Appendix 2: Generic construction of (kn)-TR-CSS from TR-PKE

We show a generic construction of a (kn)-CSS scheme from a TR-PKE scheme. Before that, we describe a formal definition of TR-PKE. \({\mathcal {T}}\) is a set of time and \({\mathcal {M}}_{\textsc {tre}}\) is a set of plaintexts determined by a security parameter \(\kappa \). A TR-PKE scheme \({\varPi }_{\textsc {tpke}}\) consists of five-tuple algorithms (TR.Init, TRKeyGen, TR.Release, TR.Enc, TR.Dec) defined as follows:

  • \((params,tsk)\leftarrow \textsf {TR.Init}(1^{\kappa })\): A probabilistic algorithm for setup. It takes a security parameter \(\kappa \) as input and outputs a public parameter params and time-server’s master secret key tsk.

  • \((upk,usk)\leftarrow \textsf {TR.KeyGen}(params)\): An algorithm for key generation. It takes the public parameter params as input and outputs a pair of public key upk and a secret key usk.

  • \(s_{t}\leftarrow \textsf {TR.Release}(tsk,t)\): An algorithm for time-signal generation. It takes the master secret key tsk and time \(t\in {\mathcal {T}}\) as input and outputs a time-signal \(s_{t}\) at time t.

  • \(ct_{t}\leftarrow \textsf {TR.Enc}(params,upk,m,t)\): A probabilistic algorithm for encryption. It takes the public parameter params, a public key upk, time t, and a plaintext \(m\in {\mathcal {M}}_{\textsc {tre}}\) as input and then outputs a ciphertext \(ct_{t}\).

  • m or \(\bot \leftarrow \textsf {TR.Dec}(params, usk, s_{t},ct_{t}, t)\): A deterministic algorithm for decryption. It takes the public parameter params, a secret key usk, a time-signal \(s_t\) at the specified time t, a ciphertext \(ct_{t}\), and the specified time t as input, and then outputs a plaintext \(m\in {\mathcal {M}}_{\textsc {tre}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {tre}}\).

In the above model, we assume that \({\varPi }_{\textsc {tpke}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all \((params,tsk)\leftarrow \textsf {TR.Init}(1^{\kappa })\), all \((upk,usk)\leftarrow \textsf {TR.KeyGen}(params)\), all \(t\in {\mathcal {T}}\), and all \(m\in {\mathcal {M}}_{\textsc {tre}}\), it holds that \(m\leftarrow \textsf {TR.Dec}(params, usk, \textsf {TR.Release}(tsk,t),\textsf {TR.Enc}(params,\) upkmt), t).

We describe two security notions: Indistinguishability against chosen plaintext attack (IND-CPA) and indistinguishability against chosen time and plaintext attack (IND-CTPA). The former is a security notion against a curious time-server.Footnote 10 In fact, formalization of this notion is almost the same as the IND-CPA security of PKE. In the latter, we consider malicious receivers attempting to obtain information on the plaintext before its specified time. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CPA security is defined by

figure n

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information.

Definition 18

(IND-CPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a TR-PKE scheme \({\varPi }_{\textsf {tre}}\) is said to be \(\epsilon \)-IND-CPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-CPA}}_{{\varPi }_{\textsf {tre}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

Next, we define the IND-CTPA security. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CTPA security is defined by

figure o

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information. In addition, \({\mathcal {R}}(\cdot )\) is a time-signal generation oracle which takes time t as input, and then returns \(\textsf {TR.Release}(tsk,t)\). \({\mathcal {A}}\) is allowed to issue arbitrary queries to the above oracle in the chal stage, however, \({\mathcal {A}}\) cannot submit \(t^*\) to the oracle after deciding \(t^*\).

Definition 19

(IND-CTPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a TR-PKE scheme \({\varPi }_{\textsc {tpke}}\) is said to be \((q_{ts}, \epsilon )\)-IND-CTPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-CTPA}}_{{\varPi }_{\textsc {tpke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where \(q_{ts}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle in the IND-CTPA game.

We construct a (kn)-TR-CSS scheme by using a TR-PKE scheme as follows. Let \({\varPi }_{\textsc {ss}}\)=(SS.Share, SS.Recon) be a (kn)-SS scheme, \({\varPi }_{\textsc {ida}}\)=(IDA.Share, IDA.Recon) be a (kn)-IDA, \({\varPi }_{\textsc {tpke}}\)=(TR.Init, TRKeyGen, TR.Release, TR.Enc, TR.Dec) be a TR-PKE scheme, and let \({\varPi }_{\textsc {dem}}\)=(E, D) be a DEM. Suppose that \({\mathcal {T}}\subset \hat{{\mathcal {T}}}\). Then, a (kn)-TR-CSS scheme \({\varPi }_{\textsc {tcss}}\)=(Setup, Ext, Share, Recon) is constructed as follows.

  • \((mpk,msk)\leftarrow \textsf {Setup}(1^{\kappa })\): Output \((mpk, msk ) := (params, tsk) \leftarrow \textsf {TR.Init} ( 1^{\kappa } ) \).

  • \(ts^{(t)}\leftarrow \textsf {Ext}(msk, t)\): Output \(ts^{(t)}\leftarrow \textsf {TR.Release}(tsk,t)\).

  • \((u_1^{(t)},\ldots ,u_n^{(t)})\leftarrow \textsf {Share}({\varGamma },mpk,s,t)\): Choose \(K\overset{\$}{\leftarrow }{\mathcal {K}}\) and \(C\leftarrow \textsf {E}(K,s)\). Compute \((upk,usk)\leftarrow \textsf {TRKeyGen}(params)\) and \(ct_t\leftarrow \textsf {TR.Enc}(params,upk,K,t)\). Generate \(({\tilde{u}}_{1},\) \(\ldots ,{\tilde{u}}_{n})\leftarrow \textsf {IDA.Share}(1^{\kappa },{\varGamma },C)\), \(({\hat{u}}_{1},\ldots ,{\hat{u}}_{n})\leftarrow \textsf {SS.Share}(1^{\kappa },{\varGamma },ct_t)\), and \((\acute{u}_{1},\ldots ,\acute{u}_{n})\leftarrow \textsf {SS.Share}(1^{\kappa },{\varGamma },usk)\). Output \(u_i^{(t)}:=({\tilde{u}}_{i},{\hat{u}}_{i},\acute{u}_i) \ (1 \le i \le n)\).

  • \(s\leftarrow \textsf {Recon}({\hat{u}}_{{\mathcal {Q}}},ts^{(t)})\): Compute \(ct_t\leftarrow \textsf {SS.Recon}(1^{\kappa },{\hat{u}}_{{\mathcal {Q}}})\), \(usk\leftarrow \textsf {SS.Recon}(1^{\kappa },\acute{u}_{{\mathcal {Q}}})\), and \(C\leftarrow \textsf {IDA.Recon}(1^{\kappa },{\tilde{u}}_{{\mathcal {Q}}})\). Then compute \(K\leftarrow \textsf {TR.Dec}(params,usk,ts^{(t)},ct_t,t)\). Output \(s\leftarrow \textsf {D}(K,C)\).

The resulting (kn)-TR-CSS scheme in the above construction is secure, if a given (kn)-SS scheme is a (kn)-PSS scheme, a given TR-PKE scheme meets IND-CTPA, and a given DEM meets FTG-CPA, as follows.

Proposition 6

If \({\varPi }_{\textsc {dem}}\) is \(\epsilon _1\)-FTG-CPA secure, \({\varPi }_{\textsc {ss}}\) is (kn)-PSS, and \({\varPi }_{\textsc {tpke}}\) is \((q_{ts},\epsilon _2)\)-IND-CTPA secure, then the resulting (kn)-TR-CSS scheme \({\varPi }_{\textsc {tcss}}\) in the above construction is a \((q_t,\delta _1,\delta _2)\)-(kn)-TR-CSS scheme, where \(q_t=q_{ts}\), \(\delta _1\le \epsilon _1\) and \(\delta _2\le \epsilon _1+2\epsilon _2\).

We omit the proof of Proposition 6 since we can prove it in a similar way to the proof of Theorem 1.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Watanabe, Y., Shikata, J. Timed-release computational secret sharing and threshold encryption. Des. Codes Cryptogr. 86, 17–54 (2018). https://doi.org/10.1007/s10623-016-0324-2

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10623-016-0324-2

Keywords

Mathematics Subject Classification

Navigation