Fucai Luo

and 3 more

Cross-silo federated learning (FL) allows organizations to collaboratively train machine learning (ML) models by aggregating local gradients from clients without sharing their training data. Despite its merits, it suffers from privacy concerns due to the leakage of local gradients. A popular approach is to have clients mask their local gradients using homomorphic encryption (HE). However, this not only results in a reliance on a trusted third party (TTP), but also leads to significant computational and communication overhead. In addition, in existing cross-silo FL protocols, the aggregation operation is performed by a centralized aggregator, raising new security issues. One of these issues involves verifying the correctness of the aggregated results returned by the aggregator. The aggregator has been removed in the cross-device setting by leveraging blockchain technology, but not in the cross-silo setting. In this paper, we propose FreeFL, an efficient privacypreserving cross-silo FL that eliminates the need for the TTP and aggregator, as well as achieves the optimal communication rounds. The high-level idea behind FreeFL is to customize a lightweight decentralized symmetric encryption with additive homomorphism for cross-silo FL. To this end, we design an efficient decentralized multiparty symmetric encryption (DMSE) scheme and two lightweight multiparty computation protocols. We evaluate the performance of FreeFL, and the experimental results indicate that FreeFL exhibits high efficiency in both computation and communication. Additionally, we conduct experimental comparisons between FreeFL and other existing HEbased cross-silo FL protocols to show that FreeFL achieves significant computational efficiency improvements.

Fucai Luo

and 3 more

Proxy re-encryption (PRE) allows a proxy to use the reencryption keys to convert ciphertexts encrypted under the delegators' public keys into ones that can be decrypted using the delegatees' secret keys, without revealing the underlying plaintext. However, PRE is limited to an all-or-nothing re-encryption, that is, the delegatee can either decrypt the re-encrypted ciphertext to obtain the whole message, or it learns nothing about the underlying message. To address this limitation, Zhou et al. (Asiacrypt 2023) proposed a new variant of PRE called fine-grained PRE (FPRE). FPRE extends PRE to support fine-grained re-encryption, allowing the proxy to convert any ciphertext encrypting a message m to a new ciphertext encrypting f (m) with a fine-grained re-encryption key for any function f. This enables the delegator to flexibly control the sharing of messages by specifying functions. Unfortunately, their scheme achieves only CPA security and requires a common random/reference string (CRS) during key generation. This requirement may weaken the syntax of (F)PRE, which allows users to independently generate their own keys. In this paper, we propose a new FPRE for bounded linear functions that we prove is CCA1 secure and does not require a CRS, based on the Learning with Errors (LWE) assumption. When the linear function is set to be the identity function, our construction immediately yields the first PRE scheme without a CRS, with CCA1 security under adaptive corruptions in the standard model. The main technique behind our construction is the design of a deterministic preimage computation algorithm for the decryption oracle in the security proof. To demonstrate the broader applicability of our proposed algorithm beyond the context of (F)PRE, we use it to prove the selective-identity CCA1 security of Agrawal et al.'s (Eurocrypt 2010) identity-based encryption (IBE) scheme, which was previously only known to be selective-identity CPA secure.

Fucai Luo

and 4 more

Inner-product functional encryption (IPFE) is an exciting paradigm for non-interactively computing on encrypted data where a master secret key can be used to derive decryption keys associated with certain inner-product functions in such a way that the decryption operation reveals an inner-product result, and nothing else. Over the decades, all efforts regarding existing IPFE schemes have been dedicated to extending them to multi-input/multi-client scenarios, understanding the security concepts that can be achieved, and identifying a multitude of practical use cases. However, in the event of key compromise, a common issue in real-world applications, the existing IPFE schemes are unable to guarantee the confidentiality of past encryptions. This paper introduces a novel variant of IPFE that supports key updates, called updatable IPFE, potentially opening up a new avenue of research to address the common key exposure problem. In this setting, any sender can initiate the transition to the next period by computing a new public key and a special update. The special update can be processed by the system administrator and the receiver to compute the next-period master secret key and the next-period decryption key, respectively. If done honestly, future (regular) ciphertexts generated with the new public key can be decrypted with the new decryption key, but ciphertexts from the past cannot be decrypted with the new decryption key. To formally illustrate this, we formalize the notion of the indistinguishability-based security under chosen randomness chosen plaintext attacks (IND-CR-CPA). We further propose the first efficient construction of updatable IPFE in the standard model, based on Learning with Errors (LWE) assumption with polynomial modulus-to-noise rate. Finally, we conduct a comprehensive performance evaluation of our updatable IPFE, and the experimental results demonstrate its computational efficiency, making it a viable solution for real-world applications.

Fucai Luo

and 3 more

Public-key Encryption with Keyword Search (PEKS) is a promising cryptographic mechanism that enables a semi-trusted cloud server to perform (on-demand) keyword searches over encrypted data for data users. Existing PEKS schemes are limited to precise or fuzzy keyword searches, creating a gap given the widespread use of wildcards for rapid searches in real-world applications. To address this issue, several wildcard keyword search schemes have been proposed to support wildcard searches in the public key setting. However, these schemes suffer from inefficiency and/or inflexibility. Worse yet, they are all vulnerable to (insider) keyword guessing attacks (KGA), which is highly effective when the keyword space is polynomial in size. To address these vulnerabilities, this paper first proposes a new wildcard keyword search scheme called Public-key Encryption with Wildcard Search (PEWS), which is built based on the standard Decisional Diffie-Hellman (DDH) assumption. The complexity of all algorithms in PEWS increases linearly with the number of keywords, while remaining almost constant or even decreasing linearly with the number of wildcards. To resist against (insider) KGA, we further extend PEWS into the first Public-key Authenticated Encryption with Wildcard Search (PAEWS) scheme. Our PEWS and PAEWS schemes are highly flexible, supporting searches not only for sets of keywords but also for any number of wildcards positioned anywhere within the keyword set. We conduct a comprehensive performance evaluation of our PEWS and PAEWS, while also comparing PEWS with the state-of-the-art scheme in the public key setting. The experimental results demonstrate that both PEWS and PAEWS are efficient and practical in computation and communication, and the experimental comparisons illustrate that PEWS achieves significant improvements in computational efficiency.
Mobile crowdsensing (MCS) is a promising sensing paradigm  which allows users to outsource a range of sensing tasks to a crowd of mobile workers with mobile devices. Location-dependent MCS, as the name implies, is a geographically-dependent sensing paradigm in which service requestors outsource location-specific tasks to many workers with mobile devices, and the workers accepting the tasks collect data at a particular location by physically arriving at the desired locations. Many efforts have been devoted to protecting location privacy of the tasks and the workers accepting the tasks while ensuring task allocation accuracy and efficiency. In 2021, Jiang et al. proposed P2AE, a privacy-preserving protocol for location-dependent MCS. To achieve the privacy-preserving task release and task allocation, they designed a location based symmetric key generator, which enables the service requestor and workers with mobile devices in the task area to generate the same key themselves without disclosing the location information to the service provider. The privacy they claimed to achieve includes the locations of workers, task location, and task content. However, in this paper, we demonstrate that P2AE is vulnerable to brute force attacks. Specifically, we show that with brute force attacks, the service provider can obtain the locations of workers, task location, and task content with a high probability, which completely breaches the security of P2AE. We hope that by identifying the security issue, similar errors can be avoided in future designs of privacy-preserving protocol for location-dependent MCS.
Proxy re-encryption (PRE), as a promising cryptographic primitive for secure data sharing in cloud, has been widely studied for decades. PRE allows the proxies to use the re-encryption keys to convert ciphertexts computed under the delegator’s public key into ones that can be decrypted using the delegatees’ secret keys, without knowing anything about the underlying plaintext. This delegable property of decryption rights gives rise to an important issue: if some proxies reveal their re-encryption keys, or collude with some delegatees to create a pirate decoder, then anyone who gains access to the pirate decoder can decrypt all ciphertexts computed under the delegator’s public key without the delegator’s permission. Several works have provided potential solutions to this issue by designing tracing mechanisms on PRE, where proxies that reveal their re-encryption keys can be identifified by the delegator. However,  these solutions perform poorly in terms of the sizes of the public, the secret and the re-encryption keys, and support neither multi-hop nor public traceability. This paper advances the research of tracing mechanisms on PRE and proposes the fifirst public trace-and-revoke PRE system, where the malicious delegatees involved in the generation of a pirate decoder can be identifified by anyone who gains access to the pirate decoder, and their decryption capabilities can subsequently be revoked by the content distributor. Our construction is multi-hop, supports user revocation and public (black-box) traceability, and achieves signifificant effificiency advantages over previous constructions. Our construction is a generic transformation from inner-product functional PRE (IPFPRE) that we introduce to trace-and-revoke PRE. In addition, we instantiate our generic construction of trace-and-revoke PRE from the Learning with Errors (LWE) assumption, which was widely believed to be quantum-resistant. This is achieved by proposing the fifirst LWE-based IPFPRE scheme, which may be of independent interest.

Haiyan Wang

and 2 more