學術產出-Theses
Article View/Open
Publication Export
-
題名 可搜尋式加密和密文相等性驗證
Searchable encryption and equality test over ciphertext作者 黃凱彬
Huang, Kaibin貢獻者 左瑞麟
Tso, Raylin
黃凱彬
Huang, Kaibin關鍵詞 密文運算
公開金鑰密碼
安全證明
密文相等性驗證
可搜尋式加密
基於通行碼的認證系統
Ciphertext computation
Public key encryption
Security proof
Equality test
Searchable encryption
Password-authenticated systems日期 2018 上傳時間 5-Feb-2018 11:24:40 (UTC+8) 摘要 本文深入探討許多基於公開金鑰密碼和通行碼的密文運算方案。首先第一個主題是「公開金鑰密碼」,從其基本架構和安全定義開始,透過文獻探討逐步地討論公開金鑰密碼學的各項特性、以及討論公開金鑰密碼中兩個常見的密文運算:同態加密系統和可交換性加密系統。同態運算是針對同一把公鑰加密的不同密文間的運算:兩個以同一把公鑰加密的密文可以在不解密的前提下進行運算,進而成為另一個合法密文。這個密文運算的結果等同於兩個明文做運算後再以該公鑰加密。可交換性加密系統是一個容許重複的加密系統:已用甲方公鑰加密的密文可以再度用乙方公鑰再加密,進而之成一個多收件者的密文。第一個主題圍繞著這兩個密文運算的技巧討論相關的加密方案。接下來第二個研究的的主題是「基於公開金鑰密碼之密文相等性驗證」,「密文相等性驗證」是密文運算中一個基礎但重要的功能,經授權的測試者可以在不解密密文的前提下,驗證兩個加密後的訊息是否相等。此外,除了相等或不相等之外,測試者無法得知密文中的其他訊息。「基於公開金鑰密碼之密文相等性驗證」相當於在「公開金鑰密碼」的基礎上,再加上「授權」和「密文相等性驗證」的功能。其中「授權」的範圍和「授權」的設計,直接影響到該方案的實用性及安全性,本文提出三個關於「授權」的主題:「單一密文授權」、「相容性授權」和「語意安全授權」。第三個研究主題是「 可搜尋式加密系統」, 常被應用於以下情境:使用者一個檔案及數個「關鍵字」進行加密,然後儲存在雲端伺服器上。當使用者想要對加密檔案進行關鍵字搜尋時,他可以自訂幾個想搜尋的「關鍵字」並對雲端伺服器發出搜尋要求。在收到搜尋要求後,雖然關鍵字都是加密儲存,仍可利用「可搜尋式加密」技巧將符合關鍵字搜尋的檔案傳回給收件者。整個過程中檔案和關鍵字都被加密保護,伺服器無法得知其儲存及搜尋內容。本文提出兩個「 可搜尋式加密系統」,分別是「子集合式多關鍵字可搜尋式加密系統」和「基於通行碼的可搜尋式加密系統」 。
This dissertation addresses the research about ciphertext computation skills over public key encryption and password-authenticated cryptosystems. The first topic is related to the public key encryption, the framework and security notions for public key encryption are revised; and two common ciphertext-computable public key encryptions including homomorphic encryption and commutative encryption are following discussed. The homomorphic encryption denotes computations over ciphertexts encrypted using the same public key. The homomorphic operation over ciphertexts may be equal to the encryption of a new message computed between two original messages. In terms of commutative encryption, it stands for a repeated encryption system that Alice’s ciphertext can be duplicated encrypted using Bob’s public key. A dual-receiver ciphertext will appear after the commutative encryption. Following, based on the public key encryption, the second topic focuses on the public key encryption with equality test schemes, the basic and fundamental ciphertext computation. Briefly, the user-authorized testers are able to verify the equivalence between messages hidden in ciphertexts after they acquire trapdoors from ciphertext receivers; and the ciphertexts were never decrypted in the whole equality testing process. The scope and architecture of the authorization directly influence the application and security for equality test schemes. Three authorizations including “cipher-bound authorization”, “compatible authorization” and “semantic secure authorization” will be proposed. The third topic is keyword search. It works in the following scenario: a user outsources encrypted files and encrypted keywords on a cloud file storage system; then, when needed, the user is able to request a search query to the file server, which is corresponding to some encrypted keywords. Although files and keywords are encrypted, the server is still able to verify the match-up and return related files to the user. Two researches about keyword search are proposed: the subset multi-keyword search based on public key encryption, and the password-authenticated keyword search.參考文獻 [1] in the Cloud IT, “How Can Cloud Computing Benefit Businesses?,” in the Cloud IT. [Online]. Available: https://www.inthecloudit.co.uk/blog/cloud-solutions-business/.[2] R. F. Churchhouse, Codes and ciphers: Julius Caesar, the Enigma, and the Internet. Cambridge University Press, 2002.[3] D. Luciano and G. Prichett, “Cryptology: From Caesar ciphers to public-key cryptosystems,” Coll. Math. J., vol. 18, no. 1, pp. 2–17, 1987.[4] Learn Cryptography, “Caesar Cipher.” [Online]. Available: https://learncryptography.com/classical-encryption/caesar-cipher.[5] Crypto Museum, “Enigma D.” [Online]. Available: http://www.cryptomuseum.com/crypto/enigma/d/index.htm.[6] D. DiSalvo, “How Alan Turing Helped Win WWII And Was Thanked With Criminal Prosecution For Being Gay,” 2012. [Online]. Available: https://www.forbes.com/sites/daviddisalvo/2012/05/27/how-alan-turing-helped-win-wwii-and-was-thanked-with-criminal-prosecution-for-being-gay/#65cdff725cc3.[7] S. L. Garfinkel, PGP - pretty good privacy: encryption for everyone (2. ed.). O’Reilly, 1995.[8] J. Daemen and V. Rijmen, The design of Rijndael: AES-the advanced encryption standard. Springer Science & Business Media, 2013.[9] R. L. Rivest, A. Shamir, and L. M. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Reprint),” Commun. ACM, vol. 26, no. 1, pp. 96–99, 1983.[10] T. El Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469–472, 1985.[11] R. Cramer and V. Shoup, “A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack,” in CRYPTO’98, 1998, vol. 1462, pp. 13–25.[12] R. Cramer and V. Shoup, “Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack,” SIAM J. Comput., vol. 33, no. 1, pp. 167–226, 2003.[13] P. Paillier and D. Pointcheval, “Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries,” in ASIACRYPT ’99, 1999, vol. 1716, pp. 165–179.[14] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes,” in EUROCRYPT’99, 1999, vol. 1592, pp. 223–238.[15] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie, “Universally Composable Password-Based Key Exchange,” in EUROCRYPT’05, 2005, vol. 3494, pp. 404–421.[16] R. Kikuchi, K. Chida, D. Ikarashi, and K. Hamada, “Practical Password-Based Authentication Protocol for Secret Sharing Based Multiparty Computation,” in CANS’15, 2015, vol. 9476, pp. 179–196.[17] F. Kiefer and M. Manulis, “Oblivious PAKE: Efficient Handling of Password Trials,” in ISC’15, 2015, vol. 9290, pp. 191–208.[18] F. Kiefer and M. Manulis, “Blind Password Registration for Verifier-based PAKE,” in AsiaCCS’16, 2016, pp. 39–48.[19] M. Abdalla, P.-A. Fouque, and D. Pointcheval, “Password-Based Authenticated Key Exchange in the Three-Party Setting,” in PKC’05, 2005, vol. 3386, pp. 65–84.[20] A. C.-C. Yao, “Protocols for Secure Computations (Extended Abstract),” in 23rd Annual Symposium on Foundations of Computer Science, 1982, pp. 160–164.[21] M. Agrawal, “Primality Tests Based on Fermat’s Little Theorem,” in Distributed Computing and Networking, 8th International Conference, ICDCN 2006, 2006, vol. 4308, pp. 288–293.[22] K. Sakurai and H. Shizuya, “Relationships Among the Computational Powers of Breaking Discrete Log Cryptosystems,” in EUROCRYPT’95, 1995, vol. 921, pp. 341–355.[23] P.-A. Fouque, A. Joux, and C. Mavromati, “Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE,” in ASIACRYPT’14, 2014, pp. 420–438.[24] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Inf. Theory, vol. 22, no. 6, pp. 644–654, 1976.[25] D. Boneh and M. K. Franklin, “Identity-Based Encryption from the Weil Pairing,” SIAM J. Comput., vol. 32, no. 3, pp. 586–615, 2003.[26] S. Chatterjee and A. Menezes, “On cryptographic protocols employing asymmetric pairings - The role of Ψ revisited,” Discret. Appl. Math., vol. 159, no. 13, pp. 1311–1322, 2011.[27] S. D. Galbraith, K. G. Paterson, and N. P. Smart, “Pairings for cryptographers,” Discret. Appl. Math., vol. 156, no. 16, pp. 3113–3121, 2008.[28] J. Dittmann, A. Lang, M. Steinebach, and S. Katzenbeisser, “ECRYPT’05,” in Sicherheit 2005, 2005, vol. 62, pp. 189–192.[29] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” {ACM} Trans. Inf. Syst. Secur., vol. 9, no. 1, pp. 1–30, 2006.[30] M. Naor and M. Yung, “Universal One-Way Hash Functions and their Cryptographic Applications,” in 21st Symposium on Theory of Computing, 1989, pp. 33–43.[31] F. Kiefer and M. Manulis, “Distributed Smooth Projective Hashing and Its Application to Two-Server Password Authenticated Key Exchange,” in ACNS’14, 2014, vol. 8479, pp. 199–216.[32] Y. C. Chen and G. Horng, “Timestamped conjunctive keyword-searchable public key encryption,” in Innovative Computing, Information and Control, ICICIC’09, 2009, pp. 729–732.[33] A. Narayanan, J. Bonneau, E. W. Felten, A. Miller, and S. Goldfeder, Bitcoin and Cryptocurrency Technologies - A Comprehensive Introduction. Princeton University Press, 2016.[34] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system.” 2008.[35] C. B. Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov, Alex Petit Bianco, “Announcing the first SHA1 collision,” Google security blog, 2017. [Online]. Available: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html. [Accessed: 23-Feb-2017].[36] M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” in CCS’93, 1993, pp. 62–73.[37] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” J. {ACM}, vol. 51, no. 4, pp. 557–594, 2004.[38] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes,” in CRYPTO’98, 1998, vol. 1462, pp. 26–45.[39] E. Fujisaki and T. Okamoto, “How to Enhance the Security of Public-Key Encryption at Minimum Cost,” in PKC ’99, 1999, vol. 1560, pp. 53–68.[40] A. Shamir, “How to Share a Secret,” Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979.[41] R. Cramer, I. Damgård, and J. B. Nielsen, Secure Multiparty Computation and Secret Sharing. Cambridge University Press, 2015.[42] R. Cramer et al., “On Codes, Matroids, and Secure Multiparty Computation From Linear Secret-Sharing Schemes,” IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2644–2657, 2008.[43] I. Damgård and J. B. Nielsen, “Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor,” in CRYPTO’02, 2002, vol. 2442, pp. 581–596.[44] T. P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” in CRYPTO’91, 1991, vol. 576, pp. 129–140.[45] C. Percival, “Stronger key derivation via sequential memory-hard functions,” Self-published, pp. 1–16, 2009.[46] H. Krawczyk, “Cryptographic Extraction and Key Derivation: The HKDF Scheme,” in CRYPTO’10, 2010, vol. 6223, pp. 631–648.[47] M. Luby and C. Rackoff, “How to Construct Pseudorandom Permutations from Pseudorandom Functions,” SIAM J. Comput., vol. 17, no. 2, pp. 373–386, 1988.[48] J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, “A Pseudorandom Generator from any One-way Function,” SIAM J. Comput., vol. 28, no. 4, pp. 1364–1396, 1999.[49] M. Bellare, R. Canetti, and H. Krawczyk, “Keying Hash Functions for Message Authentication,” in CRYPTO’96, 1996, vol. 1109, pp. 1–15.[50] S. Goldwasser and S. Micali, “Probabilistic Encryption,” J. Comput. Syst. Sci., vol. 28, no. 2, pp. 270–299, 1984.[51] M. Abdalla, F. Benhamouda, and D. Pointcheval, “Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks,” in PKC’15, 2015, vol. 9020, pp. 332–352.[52] ACM, “A.M. Turing Award Winners by Year.” 2016.[53] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, “RSA-OAEP Is Secure under the RSA Assumption,” in CRYPTO’01, 2001, vol. 2139, pp. 260–274.[54] M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption,” in EUROCRYPT’94, 1994, vol. 950, pp. 92–111.[55] E. Bresson, D. Catalano, and D. Pointcheval, “A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications,” in Advances in Cryptology - {ASIACRYPT} 2003, 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 - December 4, 2003, Proceedings, 2003, vol. 2894, pp. 37–54.[56] J. Hoffstein, J. Pipher, J. H. Silverman, and J. H. Silverman, An introduction to mathematical cryptography, vol. 1. Springer, 2008.[57] M. Bellare and A. Palacio, “Towards Plaintext-Aware Public-Key Encryption Without Random Oracles,” in ASIACRYPT’04, 2004, vol. 3329, pp. 48–62.[58] J. Domingo-Ferrer, “A Provably Secure Additive and Multiplicative Privacy Homomorphism,” in ISC’02, 2002, vol. 2433, pp. 471–483.[59] K. Peng, C. Boyd, E. Dawson, and B. Lee, “Ciphertext Comparison, a New Solution to the Millionaire Problem,” in ICICS’05, 2005, vol. 3783, pp. 84–96.[60] R. Lu, “Homomorphic Public Key Encryption Techniques,” in Privacy-Enhancing Aggregation Techniques for Smart Grid Communications, Springer, 2016, pp. 13–40.[61] R. Cramer, I. Damgård, and J. B. Nielsen, “Multiparty Computation from Threshold Homomorphic Encryption,” in EUROCRYPT’01, 2001, vol. 2045, pp. 280–299.[62] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF Formulas on Ciphertexts,” in TCC’05, 2005, vol. 3378, pp. 325–341.[63] C. Gentry, “Computing on Encrypted Data,” in CANS’09, 2009, vol. 5888, p. 477.[64] C. Gentry, S. Halevi, and N. P. Smart, “Fully Homomorphic Encryption with Polylog Overhead,” in EUROCRYPT’12, 2012, vol. 7237, pp. 465–482.[65] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in STOC’09, 2009, pp. 169–178.[66] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully Homomorphic Encryption over the Integers,” in EUROCRYPT’10, 2010, vol. 6110, pp. 24–43.[67] J. C. Benaloh and M. de Mare, “One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract),” in EUROCRYPT’93, 1993, vol. 765, pp. 274–285.[68] J. Kelsey, B. Schneier, and D. A. Wagner, “Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES,” in CRYPTO’96, 1996, vol. 1109, pp. 237–251.[69] K. Huang and R. Tso, “A commutative encryption scheme based on ElGamal encryption,” in 3rd International Conference on Information Security and Intelligent Control, ISIC’12, 2012.[70] K. Huang, R. Tso, and Y.-C. Chen, “One-time-commutative public key encryption,” in Computing conference 2017, 2017.[71] T. Diament, H. K. Lee, A. D. Keromytis, and M. Yung, “The dual receiver cryptosystem and its applications,” in 11th ACM conference on Computer and communications security, 2004, pp. 330–343.[72] Y. Lu, R. Zhang, and D. Lin, “Stronger Security Model for Public-Key Encryption with Equality Test,” in Pairing 2012, 2012, vol. 7708, pp. 65–82.[73] S. Ma, “Identity-based encryption with outsourced equality test in cloud computing,” Inf. Sci. (Ny)., vol. 328, pp. 389–402, 2016.[74] T. Wu, S. Ma, Y. Mu, and S. Zeng, “ID-Based Encryption with Equality Test Against Insider Attack,” in ACISP’17, 2017, vol. 10342, pp. 168–183.[75] G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic Public Key Encryption with Equality Test,” in CT-RSA’10, 2010, pp. 119–131.[76] Q. Tang, “Public key encryption supporting plaintext equality test and user-specified authorization,” Secur. Commun. Networks, vol. 5, no. 12, pp. 1351–1362, 2012.[77] Q. Tang, “Public key encryption schemes supporting equality test with authorisation of different granularity,” IJACT, no. 4, pp. 304–321.[78] S. Ma, M. Zhang, Q. Huang, and B. Yang, “Public Key Encryption with Delegated Equality Test in a Multi-User Setting,” Comput. J., vol. 58, no. 4, pp. 986–1002, 2015.[79] K. Huang, R. Tso, Y.-C. Chen, W.-Y. Li, and H.-M. Sun, A new public key encryption with equality test, vol. 8792. 2014.[80] S. Canard, G. Fuchsbauer, A. Gouget, and F. Laguillaumie, “Plaintext-Checkable Encryption,” in CT-RSA’12, 2012, vol. 7178, pp. 332–348.[81] K. Huang, R. Tso, Y.-C. Chen, S. M. M. Rahman, A. Almogren, and A. Alamri, “PKE-AET: Public Key Encryption with Authorized Equality Test,” Comput. J., vol. 58, no. 10, pp. 2686–2697, 2015.[82] V. Shoup, “Sequences of games: a tool for taming complexity in security proofs,” IACR Cryptol. ePrint Arch., vol. 2004, p. 332, 2004.[83] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public Key Encryption with Keyword Search,” in EUROCRYPT’04, 2004, pp. 506–522.[84] F. Buccafurri, G. Lax, R. A. Sahu, and V. Saraswat, “Practical and Secure Integrated PKE+PEKS with Keyword Privacy,” in SECRYPT’15, 2015, pp. 448–453.[85] D. Boneh and B. Waters, “Conjunctive, Subset, and Range Queries on Encrypted Data,” in TCC’07, 2007, pp. 535–554.[86] E.-K. Ryu and T. Takagi, “Efficient Conjunctive Keyword-Searchable Encryption,” in Advanced Information Networking and Applications AINA’07, 2007, pp. 409–414.[87] D. J. Park, K. Kim, and P. J. Lee, “Public Key Encryption with Conjunctive Field Keyword Search,” in Information Security Applications, 5th International Workshop, {WISA}’04, 2004, pp. 73–86.[88] L. Ballard, S. Kamara, and F. Monrose, “Achieving Efficient Conjunctive Keyword Searches over Encrypted Data,” in ICICS’05, 2005, vol. 3783, pp. 414–426.[89] P. Golle, J. Staddon, and B. R. Waters, “Secure Conjunctive Keyword Search over Encrypted Data,” in ACNS’04, 2004, pp. 31–45.[90] Y. Zhang and S. Lu, “{POSTER:} Efficient Method for Disjunctive and Conjunctive Keyword Search over Encrypted Data,” in Proceedings of the 2014 {ACM} {SIGSAC} Conference on Computer and Communications Security, 2014, pp. 1535–1537.[91] B. Zhang and F. Zhang, “An efficient public key encryption with conjunctive-subset keywords search,” J. Netw. Comput. Appl., vol. 34, no. 1, pp. 262–267, 2011.[92] K. Huang, Y.-C. Chen, and R. Tso, “Semantic secure public key encryption with filtered equality test PKE-FET,” in SECRYPT’15, 2015.[93] K. Huang, R. Tso, and Y.-C. Chen, “Somewhat Semantic Secure Public Key Encryption with Filtered-Equality-Test in the Standard Model and Its Extension to Searchable Encryption,” J. Comput. Syst. Sci., 2017.[94] K. Huang, M. Manulis, and L. Chen, “Password authenticated keyword search,” in IEEE PAC, 2017.[95] M. Abdalla et al., “Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions,” J. Cryptol., vol. 21, no. 3, pp. 350–391, 2008.[96] X. Yi, F. Hao, L. Chen, and J. K. Liu, “Practical Threshold Password-Authenticated Secret Sharing Protocol,” in ESORICS’15, 2015, vol. 9326, pp. 347–365.[97] A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu, “Password-protected secret sharing,” in CCS’11, 2011, pp. 433–444.[98] J. Camenisch, A. Lysyanskaya, and G. Neven, “Practical yet universally composable two-server password-authenticated secret sharing,” in CCS’12, pp. 525–536.[99] J. Camenisch, A. Lehmann, A. Lysyanskaya, and G. Neven, “Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment,” in CRYPTO’14, 2014, vol. 8617, pp. 256–275.[100] S. Jarecki, A. Kiayias, and H. Krawczyk, “Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model,” in ASIACRYPT’14, 2014, vol. 8874, pp. 233–253.[101] J. Camenisch, R. R. Enderlein, and G. Neven, “Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions,” in PKC’15, 2015, vol. 9020, pp. 283–307.[102] S. Jarecki, A. Kiayias, H. Krawczyk, and J. Xu, “Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online),” in IEEE European Symposium on Security and Privacy, EuroS&P’16, 2016, pp. 276–291.[103] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitions and efficient constructions,” in CCS’06, 2006, pp. 79–88.[104] C. Örencik, A. Selcuk, E. Savas, and M. Kantarcioglu, “Multi-Keyword search over encrypted data with scoring and search pattern obfuscation,” Int. J. Inf. Sec., vol. 15, no. 3, pp. 251–269, 2016.[105] Y.-C. Chen, R. Tso, M. Mambo, K. Huang, and G. Horng, “Certificateless aggregate signature with efficient verification,” Secur. Commun. Networks, vol. 8, no. 13, 2015.[106] K. Huang and R. Tso, “New Convertible Ring Signature Based on RSA,” Inf. J., vol. 16, no. 9b, pp. 7163–7173, 2013. 描述 博士
國立政治大學
資訊科學學系
100753504資料來源 http://thesis.lib.nccu.edu.tw/record/#G0100753504 資料類型 thesis dc.contributor.advisor 左瑞麟 zh_TW dc.contributor.advisor Tso, Raylin en_US dc.contributor.author (Authors) 黃凱彬 zh_TW dc.contributor.author (Authors) Huang, Kaibin en_US dc.creator (作者) 黃凱彬 zh_TW dc.creator (作者) Huang, Kaibin en_US dc.date (日期) 2018 en_US dc.date.accessioned 5-Feb-2018 11:24:40 (UTC+8) - dc.date.available 5-Feb-2018 11:24:40 (UTC+8) - dc.date.issued (上傳時間) 5-Feb-2018 11:24:40 (UTC+8) - dc.identifier (Other Identifiers) G0100753504 en_US dc.identifier.uri (URI) http://nccur.lib.nccu.edu.tw/handle/140.119/115804 - dc.description (描述) 博士 zh_TW dc.description (描述) 國立政治大學 zh_TW dc.description (描述) 資訊科學學系 zh_TW dc.description (描述) 100753504 zh_TW dc.description.abstract (摘要) 本文深入探討許多基於公開金鑰密碼和通行碼的密文運算方案。首先第一個主題是「公開金鑰密碼」,從其基本架構和安全定義開始,透過文獻探討逐步地討論公開金鑰密碼學的各項特性、以及討論公開金鑰密碼中兩個常見的密文運算:同態加密系統和可交換性加密系統。同態運算是針對同一把公鑰加密的不同密文間的運算:兩個以同一把公鑰加密的密文可以在不解密的前提下進行運算,進而成為另一個合法密文。這個密文運算的結果等同於兩個明文做運算後再以該公鑰加密。可交換性加密系統是一個容許重複的加密系統:已用甲方公鑰加密的密文可以再度用乙方公鑰再加密,進而之成一個多收件者的密文。第一個主題圍繞著這兩個密文運算的技巧討論相關的加密方案。接下來第二個研究的的主題是「基於公開金鑰密碼之密文相等性驗證」,「密文相等性驗證」是密文運算中一個基礎但重要的功能,經授權的測試者可以在不解密密文的前提下,驗證兩個加密後的訊息是否相等。此外,除了相等或不相等之外,測試者無法得知密文中的其他訊息。「基於公開金鑰密碼之密文相等性驗證」相當於在「公開金鑰密碼」的基礎上,再加上「授權」和「密文相等性驗證」的功能。其中「授權」的範圍和「授權」的設計,直接影響到該方案的實用性及安全性,本文提出三個關於「授權」的主題:「單一密文授權」、「相容性授權」和「語意安全授權」。第三個研究主題是「 可搜尋式加密系統」, 常被應用於以下情境:使用者一個檔案及數個「關鍵字」進行加密,然後儲存在雲端伺服器上。當使用者想要對加密檔案進行關鍵字搜尋時,他可以自訂幾個想搜尋的「關鍵字」並對雲端伺服器發出搜尋要求。在收到搜尋要求後,雖然關鍵字都是加密儲存,仍可利用「可搜尋式加密」技巧將符合關鍵字搜尋的檔案傳回給收件者。整個過程中檔案和關鍵字都被加密保護,伺服器無法得知其儲存及搜尋內容。本文提出兩個「 可搜尋式加密系統」,分別是「子集合式多關鍵字可搜尋式加密系統」和「基於通行碼的可搜尋式加密系統」 。 zh_TW dc.description.abstract (摘要) This dissertation addresses the research about ciphertext computation skills over public key encryption and password-authenticated cryptosystems. The first topic is related to the public key encryption, the framework and security notions for public key encryption are revised; and two common ciphertext-computable public key encryptions including homomorphic encryption and commutative encryption are following discussed. The homomorphic encryption denotes computations over ciphertexts encrypted using the same public key. The homomorphic operation over ciphertexts may be equal to the encryption of a new message computed between two original messages. In terms of commutative encryption, it stands for a repeated encryption system that Alice’s ciphertext can be duplicated encrypted using Bob’s public key. A dual-receiver ciphertext will appear after the commutative encryption. Following, based on the public key encryption, the second topic focuses on the public key encryption with equality test schemes, the basic and fundamental ciphertext computation. Briefly, the user-authorized testers are able to verify the equivalence between messages hidden in ciphertexts after they acquire trapdoors from ciphertext receivers; and the ciphertexts were never decrypted in the whole equality testing process. The scope and architecture of the authorization directly influence the application and security for equality test schemes. Three authorizations including “cipher-bound authorization”, “compatible authorization” and “semantic secure authorization” will be proposed. The third topic is keyword search. It works in the following scenario: a user outsources encrypted files and encrypted keywords on a cloud file storage system; then, when needed, the user is able to request a search query to the file server, which is corresponding to some encrypted keywords. Although files and keywords are encrypted, the server is still able to verify the match-up and return related files to the user. Two researches about keyword search are proposed: the subset multi-keyword search based on public key encryption, and the password-authenticated keyword search. en_US dc.description.tableofcontents Content1. Introduction 11.1 Motivation 61.2 Contribution and organization 82. Preliminaries and building blocks 112.1 Algebra systems 122.1.1 Cyclic groups with composite modular 122.1.2 Cyclic groups with prime modular 122.1.3 Bilinear mapping (pairing) 142.2 Building blocks 162.2.1 Hash function 162.2.2 Secret sharing 182.2.3 Commitment 192.2.4 Key derivation function 212.2.5 Pseudo random function 212.2.6 Message authentication code 213. Public key encryption 233.1 Framework 233.1.1 Syntax 243.1.2 Security notions 253.2 Previous works 293.2.1 RSA 293.2.2 Paillier encryption 313.2.3 ElGamal encryption 333.2.4 Cramer Shoup encryption 343.3 Homomorphic encryption schemes 363.3.1 Fully homomorphic encryption 363.4 Commutative encryption schemes 383.4.1 A commutative encryption scheme based on ElGamal encryption 413.4.2 One-time-commutative public key encryption 474. Public key encryption with equality test 514.1 Equality test among different users’ ciphertexts 554.2 The cipher-bound trapdoors 604.3 Equality test scheme with compatible trapdoors 674.4 Semantic secure equality test 775. Public key encryption with keyword search 855.1 Framework and previous works of PEKS 865.2 Public key encryption with subset keyword search 905.3 Password-authenticated keyword search 966. Conclusion 121References 123Appendices 131 zh_TW dc.format.extent 4004050 bytes - dc.format.mimetype application/pdf - dc.source.uri (資料來源) http://thesis.lib.nccu.edu.tw/record/#G0100753504 en_US dc.subject (關鍵詞) 密文運算 zh_TW dc.subject (關鍵詞) 公開金鑰密碼 zh_TW dc.subject (關鍵詞) 安全證明 zh_TW dc.subject (關鍵詞) 密文相等性驗證 zh_TW dc.subject (關鍵詞) 可搜尋式加密 zh_TW dc.subject (關鍵詞) 基於通行碼的認證系統 zh_TW dc.subject (關鍵詞) Ciphertext computation en_US dc.subject (關鍵詞) Public key encryption en_US dc.subject (關鍵詞) Security proof en_US dc.subject (關鍵詞) Equality test en_US dc.subject (關鍵詞) Searchable encryption en_US dc.subject (關鍵詞) Password-authenticated systems en_US dc.title (題名) 可搜尋式加密和密文相等性驗證 zh_TW dc.title (題名) Searchable encryption and equality test over ciphertext en_US dc.type (資料類型) thesis en_US dc.relation.reference (參考文獻) [1] in the Cloud IT, “How Can Cloud Computing Benefit Businesses?,” in the Cloud IT. [Online]. Available: https://www.inthecloudit.co.uk/blog/cloud-solutions-business/.[2] R. F. Churchhouse, Codes and ciphers: Julius Caesar, the Enigma, and the Internet. Cambridge University Press, 2002.[3] D. Luciano and G. Prichett, “Cryptology: From Caesar ciphers to public-key cryptosystems,” Coll. Math. J., vol. 18, no. 1, pp. 2–17, 1987.[4] Learn Cryptography, “Caesar Cipher.” [Online]. Available: https://learncryptography.com/classical-encryption/caesar-cipher.[5] Crypto Museum, “Enigma D.” [Online]. Available: http://www.cryptomuseum.com/crypto/enigma/d/index.htm.[6] D. DiSalvo, “How Alan Turing Helped Win WWII And Was Thanked With Criminal Prosecution For Being Gay,” 2012. [Online]. Available: https://www.forbes.com/sites/daviddisalvo/2012/05/27/how-alan-turing-helped-win-wwii-and-was-thanked-with-criminal-prosecution-for-being-gay/#65cdff725cc3.[7] S. L. Garfinkel, PGP - pretty good privacy: encryption for everyone (2. ed.). O’Reilly, 1995.[8] J. Daemen and V. Rijmen, The design of Rijndael: AES-the advanced encryption standard. Springer Science & Business Media, 2013.[9] R. L. Rivest, A. Shamir, and L. M. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems (Reprint),” Commun. ACM, vol. 26, no. 1, pp. 96–99, 1983.[10] T. El Gamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Trans. Inf. Theory, vol. 31, no. 4, pp. 469–472, 1985.[11] R. Cramer and V. Shoup, “A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack,” in CRYPTO’98, 1998, vol. 1462, pp. 13–25.[12] R. Cramer and V. Shoup, “Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack,” SIAM J. Comput., vol. 33, no. 1, pp. 167–226, 2003.[13] P. Paillier and D. Pointcheval, “Efficient Public-Key Cryptosystems Provably Secure Against Active Adversaries,” in ASIACRYPT ’99, 1999, vol. 1716, pp. 165–179.[14] P. Paillier, “Public-Key Cryptosystems Based on Composite Degree Residuosity Classes,” in EUROCRYPT’99, 1999, vol. 1592, pp. 223–238.[15] R. Canetti, S. Halevi, J. Katz, Y. Lindell, and P. D. MacKenzie, “Universally Composable Password-Based Key Exchange,” in EUROCRYPT’05, 2005, vol. 3494, pp. 404–421.[16] R. Kikuchi, K. Chida, D. Ikarashi, and K. Hamada, “Practical Password-Based Authentication Protocol for Secret Sharing Based Multiparty Computation,” in CANS’15, 2015, vol. 9476, pp. 179–196.[17] F. Kiefer and M. Manulis, “Oblivious PAKE: Efficient Handling of Password Trials,” in ISC’15, 2015, vol. 9290, pp. 191–208.[18] F. Kiefer and M. Manulis, “Blind Password Registration for Verifier-based PAKE,” in AsiaCCS’16, 2016, pp. 39–48.[19] M. Abdalla, P.-A. Fouque, and D. Pointcheval, “Password-Based Authenticated Key Exchange in the Three-Party Setting,” in PKC’05, 2005, vol. 3386, pp. 65–84.[20] A. C.-C. Yao, “Protocols for Secure Computations (Extended Abstract),” in 23rd Annual Symposium on Foundations of Computer Science, 1982, pp. 160–164.[21] M. Agrawal, “Primality Tests Based on Fermat’s Little Theorem,” in Distributed Computing and Networking, 8th International Conference, ICDCN 2006, 2006, vol. 4308, pp. 288–293.[22] K. Sakurai and H. Shizuya, “Relationships Among the Computational Powers of Breaking Discrete Log Cryptosystems,” in EUROCRYPT’95, 1995, vol. 921, pp. 341–355.[23] P.-A. Fouque, A. Joux, and C. Mavromati, “Multi-user Collisions: Applications to Discrete Logarithm, Even-Mansour and PRINCE,” in ASIACRYPT’14, 2014, pp. 420–438.[24] W. Diffie and M. E. Hellman, “New directions in cryptography,” IEEE Trans. Inf. Theory, vol. 22, no. 6, pp. 644–654, 1976.[25] D. Boneh and M. K. Franklin, “Identity-Based Encryption from the Weil Pairing,” SIAM J. Comput., vol. 32, no. 3, pp. 586–615, 2003.[26] S. Chatterjee and A. Menezes, “On cryptographic protocols employing asymmetric pairings - The role of Ψ revisited,” Discret. Appl. Math., vol. 159, no. 13, pp. 1311–1322, 2011.[27] S. D. Galbraith, K. G. Paterson, and N. P. Smart, “Pairings for cryptographers,” Discret. Appl. Math., vol. 156, no. 16, pp. 3113–3121, 2008.[28] J. Dittmann, A. Lang, M. Steinebach, and S. Katzenbeisser, “ECRYPT’05,” in Sicherheit 2005, 2005, vol. 62, pp. 189–192.[29] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” {ACM} Trans. Inf. Syst. Secur., vol. 9, no. 1, pp. 1–30, 2006.[30] M. Naor and M. Yung, “Universal One-Way Hash Functions and their Cryptographic Applications,” in 21st Symposium on Theory of Computing, 1989, pp. 33–43.[31] F. Kiefer and M. Manulis, “Distributed Smooth Projective Hashing and Its Application to Two-Server Password Authenticated Key Exchange,” in ACNS’14, 2014, vol. 8479, pp. 199–216.[32] Y. C. Chen and G. Horng, “Timestamped conjunctive keyword-searchable public key encryption,” in Innovative Computing, Information and Control, ICICIC’09, 2009, pp. 729–732.[33] A. Narayanan, J. Bonneau, E. W. Felten, A. Miller, and S. Goldfeder, Bitcoin and Cryptocurrency Technologies - A Comprehensive Introduction. Princeton University Press, 2016.[34] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system.” 2008.[35] C. B. Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov, Alex Petit Bianco, “Announcing the first SHA1 collision,” Google security blog, 2017. [Online]. Available: https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html. [Accessed: 23-Feb-2017].[36] M. Bellare and P. Rogaway, “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols,” in CCS’93, 1993, pp. 62–73.[37] R. Canetti, O. Goldreich, and S. Halevi, “The random oracle methodology, revisited,” J. {ACM}, vol. 51, no. 4, pp. 557–594, 2004.[38] M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway, “Relations Among Notions of Security for Public-Key Encryption Schemes,” in CRYPTO’98, 1998, vol. 1462, pp. 26–45.[39] E. Fujisaki and T. Okamoto, “How to Enhance the Security of Public-Key Encryption at Minimum Cost,” in PKC ’99, 1999, vol. 1560, pp. 53–68.[40] A. Shamir, “How to Share a Secret,” Commun. ACM, vol. 22, no. 11, pp. 612–613, 1979.[41] R. Cramer, I. Damgård, and J. B. Nielsen, Secure Multiparty Computation and Secret Sharing. Cambridge University Press, 2015.[42] R. Cramer et al., “On Codes, Matroids, and Secure Multiparty Computation From Linear Secret-Sharing Schemes,” IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2644–2657, 2008.[43] I. Damgård and J. B. Nielsen, “Perfect Hiding and Perfect Binding Universally Composable Commitment Schemes with Constant Expansion Factor,” in CRYPTO’02, 2002, vol. 2442, pp. 581–596.[44] T. P. Pedersen, “Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing,” in CRYPTO’91, 1991, vol. 576, pp. 129–140.[45] C. Percival, “Stronger key derivation via sequential memory-hard functions,” Self-published, pp. 1–16, 2009.[46] H. Krawczyk, “Cryptographic Extraction and Key Derivation: The HKDF Scheme,” in CRYPTO’10, 2010, vol. 6223, pp. 631–648.[47] M. Luby and C. Rackoff, “How to Construct Pseudorandom Permutations from Pseudorandom Functions,” SIAM J. Comput., vol. 17, no. 2, pp. 373–386, 1988.[48] J. Håstad, R. Impagliazzo, L. A. Levin, and M. Luby, “A Pseudorandom Generator from any One-way Function,” SIAM J. Comput., vol. 28, no. 4, pp. 1364–1396, 1999.[49] M. Bellare, R. Canetti, and H. Krawczyk, “Keying Hash Functions for Message Authentication,” in CRYPTO’96, 1996, vol. 1109, pp. 1–15.[50] S. Goldwasser and S. Micali, “Probabilistic Encryption,” J. Comput. Syst. Sci., vol. 28, no. 2, pp. 270–299, 1984.[51] M. Abdalla, F. Benhamouda, and D. Pointcheval, “Public-Key Encryption Indistinguishable Under Plaintext-Checkable Attacks,” in PKC’15, 2015, vol. 9020, pp. 332–352.[52] ACM, “A.M. Turing Award Winners by Year.” 2016.[53] E. Fujisaki, T. Okamoto, D. Pointcheval, and J. Stern, “RSA-OAEP Is Secure under the RSA Assumption,” in CRYPTO’01, 2001, vol. 2139, pp. 260–274.[54] M. Bellare and P. Rogaway, “Optimal Asymmetric Encryption,” in EUROCRYPT’94, 1994, vol. 950, pp. 92–111.[55] E. Bresson, D. Catalano, and D. Pointcheval, “A Simple Public-Key Cryptosystem with a Double Trapdoor Decryption Mechanism and Its Applications,” in Advances in Cryptology - {ASIACRYPT} 2003, 9th International Conference on the Theory and Application of Cryptology and Information Security, Taipei, Taiwan, November 30 - December 4, 2003, Proceedings, 2003, vol. 2894, pp. 37–54.[56] J. Hoffstein, J. Pipher, J. H. Silverman, and J. H. Silverman, An introduction to mathematical cryptography, vol. 1. Springer, 2008.[57] M. Bellare and A. Palacio, “Towards Plaintext-Aware Public-Key Encryption Without Random Oracles,” in ASIACRYPT’04, 2004, vol. 3329, pp. 48–62.[58] J. Domingo-Ferrer, “A Provably Secure Additive and Multiplicative Privacy Homomorphism,” in ISC’02, 2002, vol. 2433, pp. 471–483.[59] K. Peng, C. Boyd, E. Dawson, and B. Lee, “Ciphertext Comparison, a New Solution to the Millionaire Problem,” in ICICS’05, 2005, vol. 3783, pp. 84–96.[60] R. Lu, “Homomorphic Public Key Encryption Techniques,” in Privacy-Enhancing Aggregation Techniques for Smart Grid Communications, Springer, 2016, pp. 13–40.[61] R. Cramer, I. Damgård, and J. B. Nielsen, “Multiparty Computation from Threshold Homomorphic Encryption,” in EUROCRYPT’01, 2001, vol. 2045, pp. 280–299.[62] D. Boneh, E.-J. Goh, and K. Nissim, “Evaluating 2-DNF Formulas on Ciphertexts,” in TCC’05, 2005, vol. 3378, pp. 325–341.[63] C. Gentry, “Computing on Encrypted Data,” in CANS’09, 2009, vol. 5888, p. 477.[64] C. Gentry, S. Halevi, and N. P. Smart, “Fully Homomorphic Encryption with Polylog Overhead,” in EUROCRYPT’12, 2012, vol. 7237, pp. 465–482.[65] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in STOC’09, 2009, pp. 169–178.[66] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully Homomorphic Encryption over the Integers,” in EUROCRYPT’10, 2010, vol. 6110, pp. 24–43.[67] J. C. Benaloh and M. de Mare, “One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract),” in EUROCRYPT’93, 1993, vol. 765, pp. 274–285.[68] J. Kelsey, B. Schneier, and D. A. Wagner, “Key-Schedule Cryptanalysis of IDEA, G-DES, GOST, SAFER, and Triple-DES,” in CRYPTO’96, 1996, vol. 1109, pp. 237–251.[69] K. Huang and R. Tso, “A commutative encryption scheme based on ElGamal encryption,” in 3rd International Conference on Information Security and Intelligent Control, ISIC’12, 2012.[70] K. Huang, R. Tso, and Y.-C. Chen, “One-time-commutative public key encryption,” in Computing conference 2017, 2017.[71] T. Diament, H. K. Lee, A. D. Keromytis, and M. Yung, “The dual receiver cryptosystem and its applications,” in 11th ACM conference on Computer and communications security, 2004, pp. 330–343.[72] Y. Lu, R. Zhang, and D. Lin, “Stronger Security Model for Public-Key Encryption with Equality Test,” in Pairing 2012, 2012, vol. 7708, pp. 65–82.[73] S. Ma, “Identity-based encryption with outsourced equality test in cloud computing,” Inf. Sci. (Ny)., vol. 328, pp. 389–402, 2016.[74] T. Wu, S. Ma, Y. Mu, and S. Zeng, “ID-Based Encryption with Equality Test Against Insider Attack,” in ACISP’17, 2017, vol. 10342, pp. 168–183.[75] G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic Public Key Encryption with Equality Test,” in CT-RSA’10, 2010, pp. 119–131.[76] Q. Tang, “Public key encryption supporting plaintext equality test and user-specified authorization,” Secur. Commun. Networks, vol. 5, no. 12, pp. 1351–1362, 2012.[77] Q. Tang, “Public key encryption schemes supporting equality test with authorisation of different granularity,” IJACT, no. 4, pp. 304–321.[78] S. Ma, M. Zhang, Q. Huang, and B. Yang, “Public Key Encryption with Delegated Equality Test in a Multi-User Setting,” Comput. J., vol. 58, no. 4, pp. 986–1002, 2015.[79] K. Huang, R. Tso, Y.-C. Chen, W.-Y. Li, and H.-M. Sun, A new public key encryption with equality test, vol. 8792. 2014.[80] S. Canard, G. Fuchsbauer, A. Gouget, and F. Laguillaumie, “Plaintext-Checkable Encryption,” in CT-RSA’12, 2012, vol. 7178, pp. 332–348.[81] K. Huang, R. Tso, Y.-C. Chen, S. M. M. Rahman, A. Almogren, and A. Alamri, “PKE-AET: Public Key Encryption with Authorized Equality Test,” Comput. J., vol. 58, no. 10, pp. 2686–2697, 2015.[82] V. Shoup, “Sequences of games: a tool for taming complexity in security proofs,” IACR Cryptol. ePrint Arch., vol. 2004, p. 332, 2004.[83] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public Key Encryption with Keyword Search,” in EUROCRYPT’04, 2004, pp. 506–522.[84] F. Buccafurri, G. Lax, R. A. Sahu, and V. Saraswat, “Practical and Secure Integrated PKE+PEKS with Keyword Privacy,” in SECRYPT’15, 2015, pp. 448–453.[85] D. Boneh and B. Waters, “Conjunctive, Subset, and Range Queries on Encrypted Data,” in TCC’07, 2007, pp. 535–554.[86] E.-K. Ryu and T. Takagi, “Efficient Conjunctive Keyword-Searchable Encryption,” in Advanced Information Networking and Applications AINA’07, 2007, pp. 409–414.[87] D. J. Park, K. Kim, and P. J. Lee, “Public Key Encryption with Conjunctive Field Keyword Search,” in Information Security Applications, 5th International Workshop, {WISA}’04, 2004, pp. 73–86.[88] L. Ballard, S. Kamara, and F. Monrose, “Achieving Efficient Conjunctive Keyword Searches over Encrypted Data,” in ICICS’05, 2005, vol. 3783, pp. 414–426.[89] P. Golle, J. Staddon, and B. R. Waters, “Secure Conjunctive Keyword Search over Encrypted Data,” in ACNS’04, 2004, pp. 31–45.[90] Y. Zhang and S. Lu, “{POSTER:} Efficient Method for Disjunctive and Conjunctive Keyword Search over Encrypted Data,” in Proceedings of the 2014 {ACM} {SIGSAC} Conference on Computer and Communications Security, 2014, pp. 1535–1537.[91] B. Zhang and F. Zhang, “An efficient public key encryption with conjunctive-subset keywords search,” J. Netw. Comput. Appl., vol. 34, no. 1, pp. 262–267, 2011.[92] K. Huang, Y.-C. Chen, and R. Tso, “Semantic secure public key encryption with filtered equality test PKE-FET,” in SECRYPT’15, 2015.[93] K. Huang, R. Tso, and Y.-C. Chen, “Somewhat Semantic Secure Public Key Encryption with Filtered-Equality-Test in the Standard Model and Its Extension to Searchable Encryption,” J. Comput. Syst. Sci., 2017.[94] K. Huang, M. Manulis, and L. Chen, “Password authenticated keyword search,” in IEEE PAC, 2017.[95] M. Abdalla et al., “Searchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions,” J. Cryptol., vol. 21, no. 3, pp. 350–391, 2008.[96] X. Yi, F. Hao, L. Chen, and J. K. Liu, “Practical Threshold Password-Authenticated Secret Sharing Protocol,” in ESORICS’15, 2015, vol. 9326, pp. 347–365.[97] A. Bagherzandi, S. Jarecki, N. Saxena, and Y. Lu, “Password-protected secret sharing,” in CCS’11, 2011, pp. 433–444.[98] J. Camenisch, A. Lysyanskaya, and G. Neven, “Practical yet universally composable two-server password-authenticated secret sharing,” in CCS’12, pp. 525–536.[99] J. Camenisch, A. Lehmann, A. Lysyanskaya, and G. Neven, “Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment,” in CRYPTO’14, 2014, vol. 8617, pp. 256–275.[100] S. Jarecki, A. Kiayias, and H. Krawczyk, “Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model,” in ASIACRYPT’14, 2014, vol. 8874, pp. 233–253.[101] J. Camenisch, R. R. Enderlein, and G. Neven, “Two-Server Password-Authenticated Secret Sharing UC-Secure Against Transient Corruptions,” in PKC’15, 2015, vol. 9020, pp. 283–307.[102] S. Jarecki, A. Kiayias, H. Krawczyk, and J. Xu, “Highly-Efficient and Composable Password-Protected Secret Sharing (Or: How to Protect Your Bitcoin Wallet Online),” in IEEE European Symposium on Security and Privacy, EuroS&P’16, 2016, pp. 276–291.[103] R. Curtmola, J. A. Garay, S. Kamara, and R. Ostrovsky, “Searchable symmetric encryption: improved definitions and efficient constructions,” in CCS’06, 2006, pp. 79–88.[104] C. Örencik, A. Selcuk, E. Savas, and M. Kantarcioglu, “Multi-Keyword search over encrypted data with scoring and search pattern obfuscation,” Int. J. Inf. Sec., vol. 15, no. 3, pp. 251–269, 2016.[105] Y.-C. Chen, R. Tso, M. Mambo, K. Huang, and G. Horng, “Certificateless aggregate signature with efficient verification,” Secur. Commun. Networks, vol. 8, no. 13, 2015.[106] K. Huang and R. Tso, “New Convertible Ring Signature Based on RSA,” Inf. J., vol. 16, no. 9b, pp. 7163–7173, 2013. zh_TW
