Unconditionally Secure Anonymous Encryption and Group Authentication

Anonymous channels or similar techniques that achieve sender's anonymity play important roles in many applications, e.g. electronic voting. However, they will be meaningless if cryptographic primitives containing sender's identity are carelessly used during the transmission. In computationally secure settings, this problem may be easily overcome by using public key encryption and group signatures. However, in an unconditionally secure setting, in which no computational difficulty is assumed, this is not an easy case as such. As the increasing computational power approaches the point where security policy can no longer assume the difficulty of solving factoring or discrete logarithm problems, it must shift its focus to assuring the solvency of unconditionally secure schemes that provide long-term security. The main contribution of this paper is to study the security primitives for the above problem. In this paper, we first define the unconditionally secure asymmetric encryption scheme, which is an encryption scheme with unconditional security and where it is impossible for a receiver to deduce the identity of a sender from the encrypted message. We also investigate tight lower bounds on required memory sizes from an information theoretic viewpoint and show an optimal construction based on polynomials. It is remarkable to see that these bounds are considerably different from those in Shannon's model of the conventional unconditionally secure symmetric encryption. Other than the polynomial-based scheme, we also show a construction based on combinatorial theory, a non-malleable scheme and a multi-receiver scheme. Then, we define and formalize the group authentication code (GA-code), which is an unconditionally secure authentication code with anonymity like group signatures. In this scheme, any authenticated user will be able to generate and send an authenticated message while the receiver can verify the legitimacy of the message---that it has been sent from a legitimate user but at the same time retains his anonymity. However, by cooperating with the group authority, such as in the case of disputes, the receiver is able to obtain information of the user's identity. For GA-code, we show two concrete constructions.

[1]  Rolf Blom,et al.  Non-Public Key Distribution , 1982, CRYPTO.

[2]  Gustavus J. Simmons,et al.  Message Authentication with Arbitration of Transmitter/Receiver Disputes , 1987, EUROCRYPT.

[3]  Gustavus J. Simmons,et al.  Authentication Theory/Coding Theory , 1985, CRYPTO.

[4]  F. MacWilliams,et al.  Codes which detect deception , 1974 .

[5]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[6]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[7]  Moti Yung,et al.  Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback , 1992, [Proceedings] IEEE INFOCOM '92: The Conference on Computer Communications.

[8]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[9]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[10]  Zoltán Füredi,et al.  Families of Finite Sets in Which No Set Is Covered by the Union of Two Others , 1982, J. Comb. Theory, Ser. A.

[11]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[12]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[13]  Junji Shikata,et al.  Unconditionally Secure Digital Signature Schemes Admitting Transferability , 2000, ASIACRYPT.

[14]  Moti Yung,et al.  Perfectly Secure Key Distribution for Dynamic Conferences , 1998, Inf. Comput..

[15]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[16]  Yvo Desmedt,et al.  Some Bounds and a Construction for Secure Broadcast Encryption , 1998, ASIACRYPT.

[17]  Hideki Imai,et al.  On the Key Predistribution System: A Practical Solution to the Key Distribution Problem , 1987, CRYPTO.

[18]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[19]  InitializerRonald L. RivestLaboratory Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Trusted Initializer , 1999 .

[20]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[21]  Douglas R. Stinson,et al.  On Some Methods for Unconditionally Secure Key Distribution and Broadcast Encryption , 1997, Des. Codes Cryptogr..

[22]  David Chaum,et al.  Electronic Mail, Return Address, and Digital Pseudonyms , 1981 .

[23]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[24]  P. Erdös,et al.  Families of finite sets in which no set is covered by the union ofr others , 1985 .

[25]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[26]  Junji Shikata,et al.  Efficient and Unconditionally Secure Digital Signatures and a Security Analysis of a Multireceiver Authentication Code , 2002, Public Key Cryptography.

[27]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[28]  Douglas R. Stinson,et al.  Trade-offs Between Communication and Storage in Unconditionally Secure Schemes for Broadcast Encryption and Interactive Key Distribution , 1996, CRYPTO.

[29]  Junji Shikata,et al.  Security Notions for Unconditionally Secure Signature Schemes , 2002, EUROCRYPT.

[30]  Moni Naor,et al.  Non-malleable cryptography , 1991, STOC '91.