Arrow Research search

Author name cluster

Benoît Libert

Possible papers associated with this exact author name in Arrow. This page groups case-insensitive exact name matches and is not a full identity disambiguation profile.

6 papers
1 author row

Possible papers

6

TCS Journal 2021 Journal Article

Adaptive oblivious transfer with access control from lattice assumptions

  • Benoît Libert
  • San Ling
  • Fabrice Mouhartem
  • Khoa Nguyen
  • Huaxiong Wang

Adaptive oblivious transfer (OT) is a protocol where a sender initially commits to a database { M i } i = 1 N. Then, a receiver can query the sender up to k times with private indexes ρ 1, …, ρ k so as to obtain M ρ 1, …, M ρ k and nothing else. Moreover, for each i ∈ [ k ], the receiver's choice ρ i may depend on previously obtained messages { M ρ j } j < i. Oblivious transfer with access control (OT-AC) is a flavor of adaptive OT where database records are protected by distinct access control policies that specify which credentials a receiver should obtain in order to access each M i. So far, all known OT-AC protocols only support access policies made of conjunctions or rely on ad hoc assumptions in pairing-friendly groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC1. The security of our protocol is proved under the Learning-with-Errors ( LWE ) and Short-Integer-Solution ( SIS ) assumptions. As a result of independent interest, we provide protocols for proving the correct evaluation of a committed branching program on a committed input.

Details DOI

TCS Journal 2019 Journal Article

Zero-knowledge arguments for matrix–vector relations and lattice-based group encryption

  • Benoît Libert
  • San Ling
  • Fabrice Mouhartem
  • Khoa Nguyen
  • Huaxiong Wang

Group encryption ( GE ) is the natural encryption analogue of group signatures in that it allows verifiably encrypting messages for some anonymous member of a group while providing evidence that the receiver is a properly certified group member. Should the need arise, an opening authority is capable of identifying the receiver of any ciphertext. As introduced by Kiayias, Tsiounis and Yung (Asiacrypt'07), GE is motivated by applications in the context of oblivious retriever storage systems, anonymous third parties and hierarchical group signatures. This paper provides the first realization of group encryption under lattice assumptions. Our construction is proved secure in the standard model (assuming interaction in the proving phase) under the Learning-With-Errors ( LWE ) and Short-Integer-Solution ( SIS ) assumptions. As a crucial component of our system, we describe a new zero-knowledge argument system allowing to demonstrate that a given ciphertext is a valid encryption under some hidden but certified public key, which incurs to prove quadratic statements about LWE relations. Specifically, our protocol allows arguing knowledge of witnesses consisting of X ∈ Z q m × n, s ∈ Z q n and a small-norm e ∈ Z m which underlie a public vector b = X ⋅ s + e ∈ Z q m while simultaneously proving that the matrix X ∈ Z q m × n has been correctly certified. We believe our proof system to be useful in other applications involving zero-knowledge proofs in the lattice setting.

Details DOI

TCS Journal 2016 Journal Article

Born and raised distributively: Fully distributed non-interactive adaptively-secure threshold signatures with short shares

  • Benoît Libert
  • Marc Joye
  • Moti Yung

Threshold cryptography is a fundamental distributed computational paradigm for enhancing the availability and the security of cryptographic public-key schemes. It does it by dividing private keys into n shares handed out to distinct servers. In threshold signature schemes, a set of at least t + 1 ≤ n servers is needed to produce a valid digital signature. Availability is assured by the fact that any subset of t + 1 servers can produce a signature when authorized. At the same time, the scheme should remain robust (in the fault tolerance sense) and unforgeable (cryptographically) against up to t corrupted servers; i. e. , it adds quorum control to traditional cryptographic services and introduces redundancy. Originally, most practical threshold signatures have a number of demerits: They have been analyzed in a static corruption model (where the set of corrupted servers is fixed at the very beginning of the attack); they require interaction; they assume a trusted dealer in the key generation phase (so that the system is not fully distributed); or they suffer from certain overheads in terms of storage (large share sizes). In this paper, we construct practical fully distributed (the private key is born distributed), non-interactive schemes—where the servers can compute their partial signatures without communication with other servers—with adaptive security (i. e. , the adversary corrupts servers dynamically based on its full view of the history of the system). Our schemes are very efficient in terms of computation, communication, and scalable storage (with private key shares of size O ( 1 ), where certain solutions incur O ( n ) storage costs at each server). Unlike other adaptively secure schemes, our schemes are erasure-free (reliable erasure is hard to assure and hard to administer properly in actual systems). To the best of our knowledge, such a fully distributed highly constrained scheme has been an open problem in the area. In particular, and of special interest, is the fact that Pedersen's traditional distributed key generation (DKG) protocol can be safely employed in the initial key generation phase when the system is born—although it is well-known not to ensure uniformly distributed public keys. An advantage of this is that this protocol only takes one round optimistically (in the absence of faulty player).

Details DOI

TCS Journal 2013 Journal Article

Adaptively secure non-interactive threshold cryptosystems

  • Benoît Libert
  • Moti Yung

Threshold cryptography aims at enhancing the availability and security of decryption and signature schemes by splitting private keys into several (say n ) shares (typically, each of size comparable to the original secret key). In these schemes, a quorum of at least ( d ≤ n ) servers needs to act upon a message to produce the result (decrypted value or signature), while corrupting less than d servers maintains the scheme’s security. For about two decades, extensive study was dedicated to this subject, which created a number of notable results. So far, most practical threshold signatures, where servers act non-interactively, were analyzed in the limited static corruption model (where the adversary chooses which servers will be corrupted at the system’s initialization stage). Existing threshold encryption schemes that withstand the strongest combination of adaptive malicious corruptions (allowing the adversary to corrupt servers at any time based on its complete view), and chosen-ciphertext attacks (CCA) all require interaction (in the non-idealized model) and attempts to remedy this problem resulted only in relaxed schemes. The same is true for threshold signatures secure under chosen-message attacks (CMA). To date (for about 10 years), it has been open whether there are non-interactive threshold schemes providing the highest security (namely, CCA-secure encryption and CMA-secure signature) with scalable shares (i. e. , as short as the original key) and adaptive security. This paper answers this question affirmatively by presenting such efficient decryption and signature schemes within a unified algebraic framework.

Details DOI

TCS Journal 2012 Journal Article

Attribute-based encryption schemes with constant-size ciphertexts

  • Nuttapong Attrapadung
  • Javier Herranz
  • Fabien Laguillaumie
  • Benoît Libert
  • Elie de Panafieu
  • Carla Ràfols

Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor (the dual ciphertext-policy scenario proceeds the other way around), the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exception only supports restricted forms of access policies. This paper proposes the first attribute-based encryption (ABE) schemes allowing for truly expressive access structures and with constant ciphertext size. Our first result is a ciphertext-policy attribute-based encryption (CP-ABE) scheme with O ( 1 ) -size ciphertexts for threshold access policies and where private keys remain as short as in previous systems. As a second result, we show that a certain class of identity-based broadcast encryption schemes generically yields monotonic key-policy attribute-based encryption (KP-ABE) systems in the selective set model. Our final contribution is a KP-ABE realization supporting non-monotonic access structures (i. e. , that may contain negated attributes) with short ciphertexts. As an intermediate step toward this result, we describe a new efficient identity-based revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the most expressive KP-ABE realization with constant-size ciphertexts. The downside of our second and third constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KP-ABE schemes.

Details DOI

TCS Journal 2011 Journal Article

Efficient traceable signatures in the standard model

  • Benoît Libert
  • Moti Yung

Traceable signatures (TS), suggested by Kiayias, Tsiounis and Yung (Eurocrypt’04), extend group signatures to address various basic traceability issues beyond merely identifying the anonymous signer of a rogue signature. Namely, they enable the efficient tracing of all signatures produced by a misbehaving party without opening the identity of other parties. They also allow users to provably claim ownership of a previously signed anonymous signature. To date, known TS systems all rely on the random oracle model. In this work we present the first realization of the primitive that avoids resorting to the random oracle methodology in its security proofs. Furthermore, our realization’s efficiency is comparable to that of the latest fastest and shortest standard model group signatures.

Details DOI