At Crypto07, Goyal introduced the concept of Accountable Authority Identity-Based Encryption as a convenient tool to reduce the amount of trust in authorities in Identity-Based Encryption. In this model, if the Private Key Generator (PKG) maliciously
re-distributes users decryption keys, it runs the risk of being caught and prosecuted. Goyal proposed two constructions: the first one is efficient but can only trace well-formed decryption keys to their source; the second one allows tracing obfuscated decryption boxes in a model (called weak black-box model) where cheating authorities have no decryption oracle. The latter scheme is unfortunately far less efficient in terms of decryption cost and ciphertext size. In this work, we propose a new construction that combines the efficiency of Goyals first proposal with a very simple weak black-box tracing mechanism. Our scheme is described in the selective-ID model but readily extends to meet all security properties in the adaptive-ID sense, which is not known to be true for prior black-box schemes.
In 1998, Blaze, Bleumer, and Strauss suggested a cryptographic primitive named proxy re-signatures where a proxy turns a signature computed under Alices secret key into one from Bob on the same message. The semi-trusted proxy does not learn either pa
rtys signing key and cannot sign arbitrary messages on behalf of Alice or Bob. At CCS 2005, Ateniese and Hohenberger revisited the primitive by providing appropriate security definitions and efficient constructions in the random oracle model. Nonetheless, they left open the problem of designing a multi-use unidirectional scheme where the proxy is able to translate in only one direction and signatures can be re-translated several times. This paper solves this problem, suggested for the first time 10 years ago, and shows the first multi-hop unidirectional proxy re-signature schemes. We describe a random-oracle-using system that is secure in the Ateniese-Hohenberger model. The same technique also yields a similar construction in the standard model (i.e. without relying on random oracles). Both schemes are efficient and require newly defined -- but falsifiable -- Diffie-Hellman-like assumptions in bilinear groups.
