Shorter Identity-Based Encryption via Asymmetric Pairings
|
|
- Milton Morgan
- 5 years ago
- Views:
Transcription
1 Shorter Identity-Based Encryption via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang Technological University, Singapore 2 George Washington University, US s08000@entuedusg hoonwei,lingsan,hxwang@ntuedusg hoeteck@gwuedu bstract We present efficient Identity-Based Encryption IBE) under the Symmetric External Diffie- Hellman SXDH) assumption in bilinear groups In our IBE scheme, all parameters have constant numbers of group elements, and are shorter than those of previous constructions based on Decisional Linear DLIN) assumption Our construction uses both dual system encryption Waters, Crypto 09) and dual pairing vector spaces Okamoto and Takashima, Pairing 08, siacrypt 09) Specifically, we show how to adapt the recent DLIN-based instantiation of Lewko Eurocrypt 2) to the SXDH assumption To our knowledge, this is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption Furthermore, our work could be extended to many other Functional Encryption Particularly, we show how to instantiate our framework to Inner Product Encryption IPE) and Key-Policy Functional Encryption KP-FE) ll parameters of our constructions are shorter than those of DLIN-based constructions Research of the authors is supported in part by the National Research Foundation of Singapore under Research Grant NRF-CRP Hoeteck Wee s work is also supported by NSF CREER ward CNS
2 Introduction Identity-Based Encryption The idea of using a user s identity as her public encryption key, and thus eliminating the need for a public key certificate, was conceived by Shamir [34] Such a primitive is known as Identity-Based Encryption IBE), which has been extensively studied particularly over the last decade We now have constructions of IBE schemes from a large class of assumptions, namely pairings, quadratic residuosity and lattices, starting with the early constructions in the random oracle model [9, 7, 23], to more recent constructions in the standard model [5, 7, 8, 6, ] Short IBE It is desirable that an IBE scheme be as efficient as possible, if it were to have any impact on practical applications Ideally, we would like to have constant-size public parameters, secret keys, and ciphertexts Moreover, the scheme should ideally achieve full security, namely to be resilient even against an adversary that adaptively selects an identity to attack based on previous secret keys The first fully secure efficient IBE with constant-size public parameters and ciphertexts under standard assumptions was obtained by Waters [37] in 2009; this scheme relied on the Decisional Bilinear Diffie-Hellman DBDH) and Decisional Linear DLIN) assumptions Since then, Lewko and Waters [27] and Lewko [26] gave additional fully secure efficient IBE schemes that achieve incomparable guarantees Prior to these works, all known IBEs in the standard model) were either selectively secure [5, 7, 6, ], or require long parameters [8, 36, 6, ], or were based on less standard assumptions that depended on the query complexity of the adversary [22] From a practical stand-point, Waters fully secure IBE [37] is still not very efficient as it has relatively large ciphertexts and secret keys, ie, eleven and nine group elements, respectively Lewko s scheme [26] improved on both of these parameters at the cost of larger public parameters and master key Shorter IBE? In his work, Waters also suggested obtaining even more efficient IBE schemes by turning to asymmetric bilinear groups: Using the SXDH assumption we might hope to shave off three group elements from both ciphertexts and private keys In fact, improving the efficiency of a scheme using asymmetric pairings was first observed by Boneh, Boyen and Shacham [0] t a fixed security level, group elements in the asymmetric setting are smaller and pairings can be computed more efficiently [20] Estimated bit sizes of group elements for bilinear group generators are given in next paragraph) Informally, the SXDH assumption states that there are prime-order groups G, G 2, G T ) that admits a bilinear map e : G G 2 G T such that the Decisional Diffie-Hellman DDH) assumption holds in both G and G 2 The SXDH assumption was formally defined by Ballard et al [3] in their construction of a searchable encryption scheme, and has since been used in a number of different contexts, including secret-handshake schemes [2], anonymous IBE [8], continual leakage-resilience [3], and most notably, Groth-Sahai proofs [24] Evidence for the validity of this assumption were presented in the works of Verheul [35] and Galbraith and Rotger [2] Here, we do not separately consider group elements from target groups of pairings, although a ciphertext typically has a group element that is from an associated target group In Table 2, we give more accurate sizes comparing existing and our scheme
3 Symmetric vs symmetric Pairings The ordinary elliptic curves that give the best performance while providing discrete log security comparable to three commonly proposed levels of ES security are given in Table 80-bit ES 28-bit ES 256-bit ES Pairings G G 2 G T G G 2 G T G G 2 G T symmetric Symmetric Table Estimated bit sizes of elements in bilinear groups The group sizes follow the 2007 NIST recommendations [4], descriptions of the elliptic curves are in [9]: 80-bit security, a 70-bit MNT curve [29] with embedding degree k = 6; 28-bit security, a 256-bit Barreto-Naehrig curve [5] with k = 2; 256-bit security, a 640-bit Brezing-Weng curve [4] with k = 24 Note that we assume that curves that support sextic twists are used for k = 2 and k = 24 as this allows elements of G 2 to be /6 the size of elements of G T We also assume that point compression is used to represent a group element We further note that a symmetric pairing only exists on supersingular elliptic curves The restriction to supersingular elliptic curves means that at high security levels the group G will be much larger than the group G on an equivalent ordinary curve Our Contributions In this work, we present a more efficient IBE scheme under the SXDH assumption; our scheme also achieves anonymity 2 The ciphertexts and secret keys consist of only five and four group elements, respectively That is, we shave off two group elements from both ciphertexts and private keys in Lewko s DLIN-based IBE [26] Table 2 gives a summary of comparisons between existing and our IBE schemes Source PP SK CT # pairing anonymity assumptions Waters [36] 4 + λ) G 0 2 G 0 2 G 0 + G T 2 No DBDH Waters [37] 2 G 0 + G T 8 G 0 + Z q 9 G 0 + G T + Z q 9 No DLIN DBDH Lewko [26] 24 G + G T 6 G 2 6 G + G T 6 Yes DLIN RCS [33] 8 G + G T 6 G 2 + Z q 8 G + G T 7 No XDH DLIN DBDH Ours 8 G + G T 4 G 2 4 G + G T 4 Yes SXDH Table 2 Comparison between existing and our IBE schemes, where λ is the security parameter and it depends on the curve we use) Here, PP, SK, CT, # pairing stand for public parameters size, secret key size, ciphertext size, the number of pairing for decryption, respectively; G x represents bit length of group G x, where x 0,, 2, T, and G 0 refers to a group in the symmetric pairing setting 2 It follows from our analysis that Lewko s IBE [26] is also anonymous, although this was not pointed out in her paper 2
4 Our approach s with all known fully secure efficient IBEs, our construction relies on Waters dual system encryption framework [37] Following Lewko s DLIN-based IBE [26], we instantiate dual system encryption under the SXDH assumption via dual pairing vector spaces [30, 3], which is a technique to achieve orthogonality in prime-order groups This is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption We proceed to highlight several salient features of our IBE scheme in relation to Lewko s IBE [26]: Our scheme has an extremely simple structure, similar to the selectively secure IBE of Boneh and Boyen [7], as well as the fully secure analogues given by Lewko and Waters [27] and Lewko [26] By shifting from the DLIN assumption to the simpler SXDH assumption, we obtain an IBE scheme that is syntactically simpler and achieves shorter parameters Specifically, Lewko s IBE scheme [26] relies on 6 basis vectors to simulate the subgroup structure in the Lewko-Waters IBE scheme [27], whereas our construction uses only 4 basis vectors This means that we can use a 4-dimensional vector space instead of a 6-dimensional one s a result, we save two group elements in both the secret key and the ciphertext, that is, by a factor of /3 The savings for the public parameters and master key is even more substantial, because we use only two basis vectors for the main scheme, as opposed to four basis vectors in Lewko s scheme In both our scheme and in Lewko s, the remaining two basis vectors are used for the semi-functional components in the proof of security The final step of the proof of security after switching to semi-functional secret keys and ciphertexts) is different from that of Lewko s We rely on an information theoretic argument similar to that in [32] instead of computational arguments Finally, we believe that our SXDH instantiation constitutes a simpler demonstration of the power of dual pairing vector spaces We also show how to instantiate our framework to Inner Product Encryption IPE) [25] and Key-Policy Functional Encryption KP-FE) [32] ll parameters of our constructions are shorter than those of DLIN-based constructions [32] Table 3 gives a summary of comparisons between the IPE/KP-FE schemes of [32] and ours IPE Source PP SK CT # pairing assumptions OT [32] 3n 2 G 0 + G T 3n G 0 3n G 0 + G T 3n DLIN Ours 2n 2 G + G T 2n G 2 2n G + G T 2n SXDH KP-FE OT [32] 3n2 d G 0 + G T 3nâ G 0 3nd G 0 + G T 3nâ DLIN Ours 2n 2 d G + G T 2nâ G 2 2nd G + G T 2nâ SXDH Table 3 Comparison between the IPE/KP-FE schemes of [32] and ours ll measurements are rough estimations after removing small terms) Here, n refers to the dimension parameter in IPE setting or the parameter for the maximal dimension of attribute vector in KP-FE setting; d denotes size of the attribute set; and â is the number of rows in the matrix of the access structure Independent work of Ramanna et al n independent work of Ramanna, Chatterjee and Sarkar [33] also demonstrated how to obtain more efficient fully secure IBE via asymmetric pairings Similar to our work, their constructions rely on dual system encryption; however, they do not make use of dual pairing vector spaces Our constructions achieve shorter ciphertexts and secret keys than 3
5 their work, while relying on a single assumption whereas their construction relies on a triplet of assumptions) Moreover, our scheme achieves anonymity; theirs does not Finally, they obtain their schemes via careful optimizations, whereas our scheme is derived via a more general framework 2 Preliminaries In what follows, we borrow the definition and the game-based security model for Functional Encryption FE) from [2] which are adequate to define all encryption systems in this paper 2 Functional Encryption s in [2], we first describe a functionality ˆF of the syntactic definition of FE The functionality ˆF describes the functions of a plaintext that can be learned from the ciphertext: Definition functionality ˆF defined over K, X ) is a function ˆF : K X 0, described as a deterministic) Turing Machine The set K is called the key space and the set X is called the plaintext space We require that the key space K contain a special key called the empty key denoted ϱ n FE scheme for the functionality ˆF enables one to evaluate ˆF v, x) given the encryption of x and a secret key SK v for v The algorithm for evaluation ˆF v, x) using SK v is called decrypt More precisely, an FE scheme is defined as follows: Definition 2 functional encryption scheme FE) for a functionality ˆF defined over K, X ) is a tuple of four probabilistic polynomial-time PPT) algorithms Setup, KeyGen, Enc, Dec) satisfying the following correctness condition for all v K and x X : PP, MK) Setup λ ) generate a public and master secret key pair) SK v KeyGenPP, MK, v) generate a secret key for v) CT EncPP, x) encrypt plaintext x) y DecPP, SK v, CT) then we require that y = ˆF v, x) with probability use SK v to compute ˆF v, x) from CT) The empty key ϱ: The special key ϱ in K captures all the information about the plaintext that intentionally leaks from the ciphertext The secret key for ϱ is empty and also denoted by ϱ Thus, anyone can run DecPP, ϱ, CT) on a ciphertext CT EncPP, x) and obtain all the information about x that intentionally leaks from CT Take IBE for example, ˆF ϱ, id, m)) outputs only m the length of message m) in the attribute-hiding setting while it outputs m and the identity id in the payload-hiding setting Henceforth, we assume that every FE scheme contains the empty key ϱ in the key space K and we will not explicitly mention it We now define the security model for FE For the plaintext pair x 0, x ) of an adversary s choice, we need the following requirement to make the experiment non-trivial: ˆF v, x 0 ) = ˆF v, x ) for all v for which the adversary has SK v ) Then we define a security game for an FE scheme as follows: 4
6 Definition 3 For β = 0, define an experiment β for an adversary as follows: Setup: It runs PP, MK) Setup λ ) and gives PP to Query: adaptively submits key queries v i in K for i =, 2, and is given SK vi KeyGenPP, MK, v i ) Challenge: submits two plaintexts x 0, x X satisfying requirement ) and in return, it receives EncPP, x β ) Guess: continues to issue key queries as before subject to requirement ) and eventually outputs a bit in 0, For β = 0, let W β be the event that the adversary outputs in Experiment β and define dv FE λ) := Pr[W 0 ] Pr[W ] Definition 4 n FE scheme is fully secure if for all PPT adversaries the function dv FE λ) is negligible In all encryption systems of this paper, a plaintext x X is itself a pair ind, m) I M where ind is called an index and m is called the payload message Let x 0 = ind 0, m 0 ), x = ind, m ) X be the adversary s choice of plaintext pair, we then consider the following variations: If the adversary s choice subjects to the restriction that ind 0 = ind, the security game is then under the payload-hiding model; If the adversary s queries subject to the restriction that ˆF vi, ind 0, m 0 )) m 0 and ˆF v i, ind, m )) m for all the key queries v i, the security game is then under the weakly attribute-hiding or anonymous) model 22 Identity-Based Encryption In the IBE setting, a functionality ˆF is defined over a key space and an index space using sets of identities The key space K and index space I for IBE then corresponds to all identities id Here ˆF id, id m if id = id, m)) := otherwise 23 Inner Product Encryption In the IPE setting, a functionality ˆF is defined over a key space and an index space using sets of vectors The key space K resp index space I) for IPE then corresponds to all non-zero vectors v resp x)) Here m if x v = 0 ˆF v, x, m)) := otherwise 24 Key-Policy Functional Encryption We first describe the concept of span programs typically required by BE 5
7 Definition 5 Span Programs [6]) Let p,, p n be a set of variables span program over Z q is a labeled matrix Â, ˆρ) where  is an â ˆb) matrix over Z q and ˆρ is a labeling of the rows of  by literals from p,, p n, p,, p n every row is labeled by one literal), ie, ˆρ : [â] p,, p n, p,, p n span program accepts or rejects an input by the following criterion For every input sequence δ 0, n define the submatrix Âδ of  consisting of those rows whose labels are set to by the input, ie, either rows labeled by some p i such that δ i = or rows labeled by some p i such that δ i = 0 ie, ˆγ : [â] 0, is defined by ˆγj) = if [ˆρj) = p i ] [δ i = ] or [ˆρj) = p i ] [δ i = 0], and ˆγj) = 0 otherwise Let Âδ := Âj)ˆγj)=, where Âj is the j-th row of Â) The span program Â, ˆρ) accepts δ if and only if span Âδ, ie, some linear combination of the rows of Âδ gives the all one vector, where =,, ) span program computes a Boolean function ˆf if it accepts exactly those inputs δ where ˆfδ) = span program is called monotone if the labels of the rows are only the positive literals p,, p n Otherwise, it is non-monotone We first give the notion of a non-monotone access structure with evaluating map γ by using inner-products of attribute vectors Definition 6 Inner Products of ttribute Vectors and ccess Structures [32]) U i i =,, d and U i 0, ) is a sub-universe, a set of attributes, each of which is expressed by a pair of sub-universe id and n i -dimensional vector, ie, i, v), where i [d] and v Z n i q \0 We denote such structure as n := d; n,, n d ) We define such an attribute to be a variable p of a span program Â, ˆρ), ie, p := i, x) n access structure is a span program Â, ˆρ) along with variables p := i, x), p := i, x ),, ie, := Â, ˆρ) such that ˆρ : [â] i, x), i, x ),, i, x), i, x ), Let Γ be a set of attributes, ie, Γ := i, v i ) v i Z n i q \0, i d, where i d means that i is an element of some subset of [d] When Γ is given the access structure, map ˆγ : [â] 0, for span program Â, ˆρ) is defined as follows: For all j [â], set ˆγj) = if [ˆρj) = i, x j )] [i, v i ) Γ ] [x j v i = 0] or [ˆρj) = i, x j )] [i, v i ) Γ ] [x j v i 0] Set ˆγj) = 0 otherwise ccess structure := Â, ˆρ) accepts Γ iff span Âj)ˆγj)= We use the following secret-sharing scheme for a non-monotone access structure or span program Definition 7 secret-sharing scheme for access structure is a linear secret-sharing scheme LSSS) in Z q and is represented by Â, ˆρ) if it consists of two efficient algorithms: LinShare Â,ˆρ) : Let  be â ˆb share-generating matrix Let f := w,, wˆb) r Zˆb q Then, s 0 := w is the secret to be shared, and s := s,, sâ) :=  w is the vector of â shares of the secret s 0 and the share s j belongs to ˆρj) LinRecon Â,ˆρ) : If the span program Â, ˆρ) accept δ, or access structure := Â, ˆρ) accepts Γ, ie, span Âj)ˆγj)= with ˆγ : [â] 0,, then there exist constants α j Z q j Π such that Π j [â] ˆγj) = and Σ j Π α j s j = s 0 Furthermore, these constants α j can be computed in time polynomial in the size of matrix  6
8 In a KP-FE scheme supporting non-monotone access structure, a functionality ˆF is defined over a key space and an index space using sets of non-monotone access structures and attribute vector tuples, respectively see Definition 6) The key space K corresponds to all non-monotone access structures := Â, ˆρ), while the index space I corresponds to all attribute sets Γ Here, m if := Â, ˆρ) accepts Γ ˆF, Γ, m)) := otherwise 25 Dual Pairing Vector Spaces Our constructions are based on dual pairing vector spaces proposed by Okamoto and Takashima [30, 3] In this paper, we concentrate on the asymmetric version [32] We only briefly describe how to generate random dual orthonormal bases See [30, 3, 32] for a full definition of dual pairing vector spaces Definition 8 symmetric bilinear pairing groups) symmetric bilinear pairing groups q, G, G 2, G T, g, g 2, e) are a tuple of a prime q, cyclic multiplicative) groups G, G 2 and G T of order q, g G, g 2 G 2, and a polynomial-time computable nondegenerate bilinear pairing e : G G 2 G T ie, eg s, gt 2 ) = eg, g 2 ) st and eg, g 2 ) In addition to referring to individual elements of G or G 2, we will also consider vectors of group elements For v = v,, v n ) Z n q and g β G β, we write gβ v to denote a n-tuple of elements of G β for β =, 2: gβ v := gv β,, gv n β ) For any a Z q and v, w Z n q, we have: Then we define gβ av := gav β,, gavn β ), g v+w eg v, g w 2 ) := Here, the dot product is taken modulo q n i= β := g v +w β eg v i, gw i 2 ) = eg, g 2 ) v w,, g vn+wn β ) Dual Pairing Vector Spaces For a fixed constant) dimension n, we will choose two random bases B := b,, b n ) and B := b,, b n) of Z n q, subject to the constraint that they are dual orthonormal, meaning that b j b k = 0 mod q) whenever j k, and b j b j = ψ mod q) for all j, where ψ is a random element of Z q We denote such algorithm as DualZ n q ) Then for generators g G and g 2 G 2, we have eg b j, gb k 2 ) = whenever j k, where here denotes the identity element in G T 7
9 More generally, we can sample multiple tuple of dual orthonormal bases Namely, for fixed constant) dimension n,, n d, we will choose d tuples of two random bases B i := b,i,, b ni,i) and B i := b,i,, b n i,i ) of Zn i q, subject to the constraint that they are dual orthonormal, meaning that b j,i b k,i = 0 mod q) whenever j k, and b j,i b j,i = ψ mod q) for all j and i, where ψ is a random element of Z q We denote such algorithm as DualZ n q,, Z n d q ) 26 SXDH ssumptions Definition 9 DDH: Decisional Diffie-Hellman ssumption in G ) Given a group generator G, we define the following distribution: G := q, G, G 2, G T, g, g 2, e) r G, a, b, c r Z q, D := G; g, g 2, g a, g b ) We assume that for any PPT algorithm with output in 0, ), dv DDH λ) := Pr[D, g ab ) Pr[D, g ab+c )] is negligible in the security parameter λ The dual of above assumption is Decisional Diffie-Hellman assumption in G 2 denoted as DDH2), which is identical to Definitions 9 with the roles of G and G 2 reversed We say that: Definition 0 The Symmetric External Diffie-Hellman assumption holds if DDH problems are intractable in both G and G 2 27 Statistical Indistinguishability Lemma We require the following lemma for our security proofs, which is derived from [32] Lemma For p Z q, let C p := x, v) x v = p, 0 x, 0 v Z n q For all x, v) Cp, for all z, w) C p, and r Z n n q is invertible with overwhelming probability), 3 Subspace ssumptions via SXDH Pr[x = z v = w] = #C p In this section, we present Subspace assumptions derived from the SXDH assumption We will rely on these assumptions later to instantiate our encryption schemes These are analogues of the DLIN-based Subspace assumptions given in [26, 32] 8
10 3 Decisional Subspace ssumption Definition DS: Decisional Subspace ssumption in G ) Given a group generator G ), define the following distribution: G := q, G, G 2, G T, g, g 2, e) r G λ ), B, B ) r DualZ N q ); τ, τ 2, µ, µ 2 r Z q, U := g µ b +µ 2b K+ 2,, U K := g µ b K +µ 2b 2K 2, V := g τ b,, V K := g τ b K, W := g τ b +τ 2 b K+,, W K := g τ b K +τ 2 b 2K, D := G; g b 2,, gb K 2, g b 2K+ 2,, g b N 2, g b,, gb N, U,, U K, µ 2 ) where K, N are fixed positive integers that satisfy 2K N We assume that for any PPT algorithm with output in 0, ), dv DS λ) := Pr[D, V,, V K ) = ] Pr[D, W,, W K ) = ] is negligible in the security parameter λ Lemma 2 If the DDH assumption in G holds, then the Subspace assumption in G stated in Definition also holds More precisely, for any adversary against the Subspace assumption in G, there exist probabilistic algorithms B whose running times are essentially the same as that of, such that dv DS λ) dv DDH B λ) Proof We assume there exists a PPT algorithm breaking the Subspace assumption with nonnegligible advantage dv DS λ) for some fixed positive integers K, N satisfying N 2K) We create a PPT algorithm B which breaks the DDH assumption in G with non-negligible advantage dv DS λ) B is given g, g 2, g a, gb, T, where T is either gab or T is a uniformly random element of G B first samples random dual orthonormal bases, denoted by f,, f N and f,, f N From the definition, B chooses vectors f,, f N, f,, f N randomly, subject to the constraints that f i fj 0 mod q) when j k, and f j fj ψ mod q) for all j from to N, where ψ is a random element of Z q Then, B implicitly sets: B also sets the dual basis as: b := f + af K+,, b K := f K + af 2K, b K+ := f K+,, b N := f N b := f,, b K := f K, b K+ := f K+ af,, b 2K := f 2K af K, b 2K+ := f 2K+,, b N := f N We observe that under these definitions, b j b k 0 mod q) when j k, and b j b j ψ mod q) for all j from to N We note that B can produce all of g b,, gb N given g, g a ) as well as 9
11 g b 2,, gb K 2 and g b 2K+ 2,, g b N 2 given g 2 ) However, B cannot produce g b K+ 2,, g b 2K 2 these require knowledge of g2 a) It is not difficult to check that b,, b N and b,, b N are properly distributed Now B creates U,, U K by choosing random values µ, µ 2 Z q and setting: U := g µ b +µ 2 f K+ 2 := g µ +aµ 2 )b +µ 2 b K+ 2 In other words, B has implicitly set µ := µ + aµ 2 and µ 2 := µ 2 We note that these values are uniformly random, and µ 2 is known to B B can then form U 2,, U K as: U 2 := g µ b 2 +µ 2 f K+2 2,, U K := g µ b K +µ 2 f 2K 2 B implicitly sets τ := b, τ 2 := c and computes: T := T f K+ g b ) f,, T K := T f 2K g b ) f K If T = g ab, then these are distributed as V,, V K, since T f K+j g b ) f j = g τ b j If T = g ab+c, then these are distributed as W,, W K, since B then gives T f k+j g b ) f j = g τ b j +τ 2 b K+j D := G; g b 2,, gb K 2, g b 2K+ 2,, g b N 2, g b,, gb N, U,, U K, µ 2 ) to, along with T,, T K B can then leverage s advantage dv DS λ) in distinguishing be- λ) in tween the distributions V,, V K ) and W,, W K ) to achieve an advantage dv DDH B distinguishing T = g ab from T = gab+c, hence violating the DDH assumption in G The dual of the Subspace assumption in G is Subspace assumption in G 2 denoted as DS2), which is identical to Definition with the roles of G and G 2 reversed Similarly, we can prove that the Subspace assumption holds in G 2 if the DDH assumption in G 2 holds 32 Generalized Decisional Subspace ssumption We generalize the Decisional Subspace ssumption for Multiple Tuple of Dual Orthonormal Bases Definition 2 GDS: Generalized Decisional Subspace ssumption in G ) Given a group generator G ), define the following distribution: D := G := q, G, G 2, G T, g, g 2, e) r G λ ), B, B ) r DualZ N q,, Z N d q ); τ, τ 2, µ, µ 2 r Z q, U,i := g µ b,i +µ 2b K i +,i 2,, U Ki,i := g µ b K i,i +µ 2b 2K i,i 2 V,i := g τ b,i,, V Ki,i := g τ b Ki,i i [d], W,i := g τ b,i +τ 2 b Ki +,i,, W Ki,i := g τ b Ki,i+τ 2 b 2Ki,i i [d], i [d], G; g b,i 2,, g b K i,i 2, g b 2K i +,i 2,, g b N i,i 2, g b,i,, g b N i,i, U,i,, U Ki,i i [d], µ 2 ) 0
12 where K i, N i are fixed positive integers that satisfy 2K i N i for i [d] We assume that for any PPT algorithm with output in 0, ), dv GDS λ) := Pr[D, V,i,, V Ki i [d] ) = ] Pr[D, W,i,, W Ki,i i [d] ) = ] is negligible in the security parameter λ Lemma 3 If the DDH assumption in G holds, then the Generalized Subspace assumption in G stated in Definition 2 also holds More precisely, for any adversary against the Generalized Subspace assumption in G, there exist probabilistic algorithms B whose running times are essentially the same as that of, such that dv GDS λ) dv DDH B λ) The proof for above lemma is essentially the same as those of Lemma 2 The dual of the Generalized Subspace assumption in G is Generalized Subspace assumption in G 2 denoted as GDS2), which is identical to Definition 2 with the roles of G and G 2 reversed Similarly, we can prove that the Generalized Subspace assumption holds in G 2 if the DDH assumption in G 2 holds 4 Identity-Based Encryption We first present our IBE construction along with our proof of its security under the SXDH assumption Construction We begin with our IBE scheme: Setup λ ) This algorithm takes in the security parameter λ and generates a bilinear pairing G := q, G, G 2, G T, g, g 2, e) for sufficiently large prime order q The algorithm samples random dual orthonormal bases, D, D ) r DualZ 4 q) Let d,, d 4 denote the elements of D and d,, d 4 denote the elements of D It also picks α r Z q, computes gt α := eg, g 2 ) αd d, and outputs the public parameters as PP := G; gt α, g d, gd 2, and the master key MK := α, g d 2, gd 2 2 KeyGenPP, MK, id) This algorithm picks r r Z q The secret key is computed as SK id := g αd +ridd d 2 ) 2 EncPP, id, m) This algorithm picks z r Z q and forms the ciphertext as CT id := C := m gt α ) z, C 0 := g zd +idd 2 ) DecPP, SK id, CT id ) This algorithm computes the message as m := C/eC 0, SK id ) We note that applying Naor s transform [9, ] to our scheme, we can also obtain an efficient signature scheme
13 Correctness Correctness is straight-forward: ec 0, SK id ) = eg zd +idd 2 ), g αd +ridd d 2 ) 2 ) = eg, g 2 ) αzd d eg, g 2 ) zridd d zridd 2 d 2 = g αz T Proof of Security We prove the following theorem by showing a series of lemmas Theorem The IBE scheme is fully secure and weakly attribute-hiding anonymous) under the SXDH assumption More precisely, for any adversary against the IBE scheme, there exist probabilistic algorithms B 0, B,, B qn whose running times are essentially the same as that of, such that dv IBE λ) dv DDH B 0 λ) + q n κ= where q n is the maximum number of s key queries dv DDH2 B κ λ) + 6q n + 3)/q We adopt the dual system encryption methodology by Waters [37] to prove the security of our IBE scheme We use the concepts of semi-functional ciphertexts and semi-functional keys in our proof and provide algorithms that generate them We note that these algorithms are only provided for definitional purposes, and are not part of the IBE system In particular, they do not need to be efficiently computable from the public parameters and the master key KeyGenSF The algorithm picks r, ν, ν 2 r Z q and forms a semi-functional secret key as SK SF) v := g αd +ridd d 2 )+[ν d 3 +ν 2d 4 ] 2 2) EncryptSF The algorithm picks z, χ, χ 2 r Z q and forms a semi-functional ciphertext as CT x SF) := C := m gt α ) z, C 0 := g zd +idd 2 )+[χ d 3 +χ 2 d 4 ] 3) We observe that if one applies the decryption procedure with a semi-functional key and a normal ciphertext, decryption will succeed because d 3, d 4 are orthogonal to all of the vectors in exponent of C 0, and hence have no effect on decryption Similarly, decryption of a semi-functional ciphertext by a normal key will also succeed because d 3, d 4 are orthogonal to all of the vectors in the exponent of the key When both the ciphertext and key are semi-functional, the result of ec 0, SK v ) will have an additional term, namely eg, g 2 ) ν χ d 3 d 3+ν 2 χ 2 d 4 d 4 = g ν χ +ν 2 χ 2 ) T Decryption will then fail unless ν χ + ν 2 χ 2 0 mod q If this modular equation holds, we say that the key and ciphertext pair is nominally semi-functional For a probabilistic polynomial-time adversary which makes q n key queries v,, v qn, our proof of security consists of the following sequence of games between and a challenger B Game Real : is the real security game Game 0 : is the same as Game Real except that the challenge ciphertext is semi-functional 2
14 Game κ : for κ from to q n, Game κ is the same as Game 0 except that the first κ keys are semifunctional and the remaining keys are normal Game Final : is the same as Game qn, except that the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random identity in Z q We denote the challenge ciphertext in Game Final as CT R) id R We prove following lemmas to show the above games are indistinguishable by following an analogous strategy of [26, 28] Our main arguments are computational indistinguishability guaranteed by the Subspace assumptions, which are implied by the SXDH assumption) and statistical indistinguishability The advantage gap between Game Real and Game 0 is bounded by the advantage of the Subspace assumption in G dditionally, we require a statistical indistinguishability argument to show that the distribution of the challenge ciphertext remains the same from the adversary s view For κ from to q n, the advantage gap between Game κ and Game κ is bounded by the advantage of Subspace assumption in G 2 Similarly, we require a statistical indistinguishability argument to show that the distribution of the the κ-th semi-functional key remains the same from the adversary s view Finally, we statistically transform Game qn joint distributions of ) PP, CT SF) id, β SK SF) id l l=,,q n and to Game Final in one step, ie, we show the ) PP, CT R) id R, SK SF) id l l=,,q n are equivalent for the adversary s view We let dv Game Real denote an adversary s advantage in the real game Lemma 4 Suppose that there exists an adversary where dv Game Real λ) dv Game 0 λ) = ϵ Then there exists an algorithm B 0 such that dv DS B 0 λ) = ϵ 2/q, with K = 2 and N = 4 Proof B 0 is given D := G; g b 2, gb 2 2, gb,, gb 4, U, U 2, µ 2 ) along with T, T 2 We require that B 0 decides whether T, T 2 are distributed as g τ b, g τ b 2 or g τ b +τ 2 b 3, g τ b 2 +τ 2 b 4 B 0 simulates Game Real or Game 0 with, depending on the distribution of T, T 2 To compute the public parameters and master secret key, B 0 first chooses a random invertible matrix Z 2 2 q We implicitly set dual orthonormal bases D, D to: d := b, d 2 := b 2, d 3,, d 4 ) := b 3, b 4 ), d := b, d 2 := b 2, d 3,, d 4) := b 3, b 4) ) We note that D, D are properly distributed, and reveal no information about Moreover, B 0 cannot generate g d 3 2, gd 4 2, but these will not be needed for creating normal keys B 0 chooses random value α Z q and computes gt α := eg, g 2 ) αd d It then gives the public parameters PP := G; gt α, g d, gd 2 3
15 The master key MK := α, g d 2, gd 2 2 is known to B 0, which allows B 0 to respond to all of s key queries by calling the normal key generation algorithm sends B 0 two pairs m 0, id 0) and m, id ) B 0 chooses a random bit β 0, and encrypts m β under id β as follows: ) α C := m β et, g b 2 ) = mβ gt α ) z, C 0 := T T id β 2, where B 0 has implicitly set z := τ It gives the ciphertext C, C 0 ) to Now, if T, T 2 are equal to g τ b, g τ b 2, then this is a properly distributed normal encryption of m β In this case, B 0 has properly simulated Game Real If T, T 2 are equal to g τ b +τ 2 b 3, g τ b 2 +τ 2 b 4 instead, then the ciphertext element C 0 has an additional term of τ 2 b 3 + id β b 4) in its exponent The coefficients here in the basis b 3, b 4 form the vector τ 2, id β ) To compute the coefficients in the basis d 3, d 4, we multiply the matrix by the transpose of this vector, obtaining τ 2, id β ) Since is random everything else given to has been distributed independently of ), these coefficients are uniformly random except with probability 2/q namely, the cases τ 2 defined in Subspace problem is zero, χ 3, χ 4 ) defined in Equation 3 is the zero vector ) from Lemma Therefore, in this case, B 0 has properly simulated Game 0 This allows B 0 to leverage s advantage ϵ between Game Real and Game 0 to achieve an advantage ϵ 2 q against the Subspace assumption in G, namely dv DS B 0 λ) = ϵ 2 q Lemma 5 Suppose that there exists an adversary where dv Game κ λ) dv Gameκ λ) = ϵ Then there exists an algorithm B κ such that dv DS2 B κ λ) = ϵ 6/q, with K = 2 and N = 4 Proof B κ is given D := G; g b, gb 2, gb 2,, gb 4 2, U, U 2, µ 2 ) along with T, T 2 We require that B κ decides whether T, T 2 are distributed as g τ b 2, g τ b 2 2 or g τ b +τ 2b 3 2, g τ b 2 +τ 2b 4 2 B κ simulates Game κ or Game κ with, depending on the distribution of T, T 2 To compute the public parameters and master secret key, B κ chooses a random invertible matrix Z 2 2 q We then implicitly set dual orthonormal bases D, D to: d := b, d 2 := b 2, d 3, d 4 ) := b 3, b 4 ), d := b, d 2 := b 2, d 3, d 4) := b 3, b 4) ) We note that D, D are properly distributed, and reveal no information about B κ chooses random value α Z q and compute gt α := eg, g 2 ) αd d B can gives the public parameters PP := G; gt α, g d, gd 2 4
16 The master key MK := α, g d 2, gd 2 2 is known to B κ, which allows B κ to respond to all of s key queries by calling the normal key generation algorithm Since B κ also knows g d 3 2, gd 4 2, it can easily produce semi-functional keys To answer the first κ key queries that makes, B κ runs the semi-functional key generation algorithm to produce semi-functional keys and gives these to To answer the κ-th key query for id κ, B κ responds with: SK idκ := g b 2 )α T id κ T2 This implicitly sets r := τ If T, T 2 are equal to g τ b 2, g τ b 2 2, then this is a properly distributed normal key If T, T 2 are equal to g τ b +τ 2b 3 2, g τ b 2 +τ 2b 4 2, then this is a semi-functional key, whose exponent vector includes τ 2 id κ b 3 b 4) 4) as its component in the span of b 3, b 4 To respond to the remaining key queries, B κ simply runs the normal key generation algorithm t some point, sends B κ two pairs m 0, id 0) and m, id ) B κ chooses a random bit β 0, and encrypts m β under id β C := m β as follows: eu, g b 2 ) ) α = mβ g α T ) z, C 0 := U U id β 2, where B κ has implicitly set z := µ The semi-functional part of the exponent vector here is: µ 2 b 3 + id β b 4) 5) We observe that if id β = id κ which is not allowed), then vectors 4 and 5 would be orthogonal, resulting in a nominally semi-functional ciphertext and key pair It gives the ciphertext C, C 0 ) to We now argue that since id β id κ, in s view the vectors 4 and 5 are distributed as random vectors in the spans of d 3, d 4 and d 3, d 4 respectively To see this, we take the coefficients of vectors 4 and 5 in terms of the bases b 3, b 4 and b 3, b 4 respectively and translate them into coefficients in terms of the bases d 3, d 4 and d 3, d 4 Using the change of basis matrix, we obtain the new coefficients in vector form) as: τ 2 id κ, ), µ 2, id β ) Since the distribution of everything given to except for the κ-th key and the challenge ciphertext is independent of the random matrix and id β id κ, we can conclude that these coefficients are uniformly except with probability 4/q namely, the cases µ 2 or τ 2 defined in Subspace problem is zero, χ, χ 2 ) or ν, ν 2 ) defined in Equations 3 and 2 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case If T, T 2 are equal to g τ b 2, g τ b 2 2, then the coefficients of the vector 5 are uniformly except with probability 2/q namely, the cases µ 2 = defined in Subspace problem is zero, χ, χ 2 ) defined in Equations 3 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case In summary, B κ has properly simulated either Game κ or Game κ for, depending on the distribution of T, T 2 It can therefore leverage s advantage ϵ between these games to obtain an advantage ϵ 6/q against the Subspace assumption in G 2, namely dv DS2 B κ λ) = ϵ 6/q 5
17 Lemma 6 For any adversary, dv Game Final λ) dv Game qn λ) + /q Proof To prove this lemma, we show the joint distributions of ) PP, CT SF) id, SK SF) β id l l [q n ] in Game qn and that of ) PP, CT R) id R, SK SF) id l l [q n ] in Game Final are equivalent for the adversary s view, where CT R) id R is a semi-functional encryption of a random message in G T and under a random vector in Z n q For this purpose, we pick := ξ i,j ) r Z 2 2 q and define new dual orthonormal bases F := f,, f 4 ), and F := f,, f 4 ) as follows: f d f 0 ξ, ξ 2, d f 2 f 3 := d 2 ξ, ξ,2 0 d 3, f2 := 0 ξ,2 ξ 2,2 d f 4 ξ 2, ξ 2,2 0 d It is easy to verify that F and F are also dual orthonormal, and are distributed the same as D and D Then the public parameters, challenge ciphertext, and queried secret keys, PP, CT SF) id, SK SF) β id l l [qn]) in Game qn are expressed over bases D and D as PP := G; gt α, g d, gd 2, CT SF) x β f 3 f 4 := SK SF) id l := g αd +r lid l d d 2 )+[ν,ld 3 +ν 2,ld 4 ] 2 C := m g α T ) z, C 0 := g zd +id β d 2)+[χ d 3 +χ 2 d 4 ] l [q n] Then we can express them over bases F and F as PP := G; gt α, g f, g f 2, CT SF) x := C := m gt α ) z, C 0 := g z f +z 2 f 2)+[χ d 3 +χ 2 d 4 ], β SK SF) id l := g αf +r lid l f f 2 )+[ν,l f 3 +ν 2,l f 4 ] 2 where z := z χ ξ, χ 2 ξ 2,,, l [q n] z 2 := zid β χ ξ,2 χ 2 ξ 2,2, ν,l := ν,l + αξ, + r l id l ξ, ξ,2 ) ν 2,l := ν 2,l + αξ,2 + r l id l ξ 2, ξ 2,2 ), l [q n], d 3 d 4 6
18 which are all uniformly distributed if χ, χ 2 ) defined in Equation 3 is a non-zero vector since z, ξ i,j i [d],j [2], ν,l, ν 2,l l [qn] are all uniformly picked from Z q In other words, the coefficients s, id β ) of d, d 2 in the C term of the challenge ciphertext is changed to random coefficients z, z 2 ) Zn q of f, f 2, thus the challenge ciphertext can be viewed as a semi-functional encryption of a random message in G T and under a random identity in Z q Moreover, all coefficients ν,l, ν 2,l ) l [q n] of f3, f 4 in the SKSF) id l l [qn] are all uniformly distributed since ν,l, ν 2,l ) l [qn ] of d 3, d 4 are all independent random values Thus ) PP, CT SF) id, SK SF) β id l l [q n ] expressed over bases F and F is properly distributed as ) PP, CT R) id R, SK SF) id l l [q n ] in Game Final In the adversary s view, both D, D ) and F, F ) are consistent with the same public parameters Therefore, the challenge ciphertext and queried secret keys above can be expressed as keys and ciphertext in two ways, in Game qn over bases D, D ) and in Game Final over bases F, F ) Thus, Game qn and Game Final are statistically indistinguishable except with probability /q namely, the case χ, χ 2 ) = 0) Lemma 7 For any adversary, dv Game Final λ) = 0 Proof The value of β is independent from the adversary s view in Game Final Hence, dv Game Final λ) = 0 In Game Final, the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random identity in Z q, independent of the two messages and the challenge identities provided by Thus, our IBE scheme is weakly attribute-hiding anonymous) 5 Inner Product Encryption We now present our IPE scheme, the construction and security proof of which are essentially the same as our IBE except that we extend the embedded equality relation to general inner product relation Construction We begin with our IPE scheme: Setup λ ) This algorithm takes in the security parameter λ and generates a bilinear pairing G := q, G, G 2, G T, g, g 2, e) for sufficiently large prime order q The algorithm samples random dual orthonormal bases, D, D ) r DualZ 2n q ) Let d,, d 2n denote the elements of D and d,, d 2n denote the elements of D It also picks α r Z q, computes g T := eg, g 2 ) d d, and outputs the public parameters as PP := G; gt α, g d,, gdn, and the master key MK := α, g d 2,, gd n 2 7
19 KeyGenPP, MK, v := v,, v n )) This algorithm picks r r Z q The secret key is computed as SK v := g αd +rv d + +v nd n) 2 EncPP, x := x,, x n ), m) WLOG, we assume that x = This algorithm picks z r Z q and forms the ciphertext as CT x := C := m gt α ) z, C 0 := g zx d + +x nd n) DecPP, SK v, CT x ) This algorithm computes the message as Correctness Correctness is straight-forward: m := C/eC 0, SK v ) ec 0, SK v ) = eg zx d + +x n d n ), g αd +rv d + +vnd n) 2 ) = eg, g 2 ) αzx d d eg, g 2 ) zrv x d d + +vnxndn d n) = g αz T = g αz T g zrv x T Proof of Security We prove the following theorem by showing a series of lemmas Theorem 2 The IPE scheme is fully secure and weakly attribute-hiding under the SXDH assumption More precisely, for any adversary against the IPE scheme, there exist probabilistic algorithms B 0, B,, B qn whose running times are essentially the same as that of, such that dv IPE λ) dv DDH B 0 λ) + q n κ= where q n is the maximum number of s key queries dv DDH2 B κ λ) + 6q n + 3)/q We adopt the dual system encryption methodology by Waters [37] to prove the security of our IPE scheme, the strategy is essentially the same as our IBE scheme We first define semi-functional ciphertexts and semi-functional keys in our proof and provide algorithms that generate them KeyGenSF The algorithm picks r, ν,, ν n r Z q and forms a semi-functional secret key as SK SF) v := g αd +rv d ++vnd n)+[ν d n+ + +νnd 2n ] 2 6) EncryptSF The algorithm picks z, χ,, χ n r Z q and forms a semi-functional ciphertext as CT x SF) := C := m gt α ) z, C 0 := g zx d ++x n d n )+[χ d n+ + +χ n d 2n ] 7) We observe that if one applies the decryption procedure with a semi-functional key and a normal ciphertext, decryption will succeed because d n+,, d 2n are orthogonal to all of the vectors in exponent of C 0, and hence have no effect on decryption Similarly, decryption of a semi-functional ciphertext by a normal key will also succeed because d n+,, d 2n are orthogonal to all of the 8
20 vectors in the exponent of the key When both the ciphertext and key are semi-functional, the result of ec 0, SK v ) will have an additional term, namely eg, g 2 ) ν χ d n+ d n+++ν n χ n d 2n d 2n = g ν χ ++ν n χ n ) T Decryption will then fail unless ν χ + + ν n χ n 0 mod q If this modular equation holds, we say that the key and ciphertext pair is nominally semi-functional For a probabilistic polynomial-time adversary which makes q n key queries v,, v qn, our proof of security consists of the following sequence of games between and a challenger B Game Real : is the real security game Game 0 : is the same as Game Real except that the challenge ciphertext is semi-functional Game κ : for κ from to q n, Game κ is the same as Game 0 except that the first κ keys are semifunctional and the remaining keys are normal Game Final : is the same as Game qn, except that the challenge ciphertext is a semi-functional encryption of a random message in G T and under a random vector in Z n q We denote the challenge ciphertext in Game Final as CT R) x R We let dv Game Real denote an adversary s advantage in the real game Lemma 8 Suppose that there exists an adversary where dv Game Real λ) dv Game 0 λ) = ϵ Then there exists an algorithm B 0 such that dv DS B 0 λ) = ϵ 2/q, with K = n and N = 2n Proof B 0 is given D := G; g b 2,, gb n 2, gb,, gb 2n, U,, U n, µ 2 ) along with T,, T n We require that B 0 decides whether T,, T n are distributed as g τ b,, g τ b n or g τ b +τ 2 b n+,, g τ b n+τ 2 b 2n B 0 simulates Game Real or Game 0 with, depending on the distribution of T,, T n To compute the public parameters and master secret key, B 0 first chooses a random invertible matrix Z n n q We implicitly set dual orthonormal bases D, D to: d := b,, d n := b n, d n+,, d 2n ) := b n+,, b 2n ), d := b,, d n := b n, d n+,, d 2n) := b n+,, b 2n) ) We note that D, D are properly distributed, and reveal no information about Moreover, B 0 cannot generate g d n+ 2,, g d 2n 2, but these will not be needed for creating normal keys B 0 chooses random value α Z q and computes eg, g 2 ) αd d It then gives the public parameters PP := G; gt α, g d,, gd n The master key MK := α, g d 2,, gd n 2 is known to B 0, which allows B 0 to respond to all of s key queries by calling the normal key generation algorithm 9
21 sends B 0 two pairs m 0, x 0 ) and m, x ) B 0 chooses a random bit β 0, and encrypts m β under x β := x,β,, x n,β ) as follows: ) α C := m β et, g b 2 ) = mβ gt α ) z, C 0 := T x,β T x n,β n, where B 0 has implicitly set z := τ It gives the ciphertext C, C 0 ) to Now, if T,, T n are equal to g τ b,, g τ b n, then this is a properly distributed normal encryption of m β In this case, B 0 has properly simulated Game Real If T,, T n are equal to g τ b +τ 2 b n+,, g τ b n+τ 2 b 2n instead, then the ciphertext element C 0 has an additional term of τ 2 x,β b n+ + + x n,β b 2n) in its exponent The coefficients here in the basis b n+,, b 2n form the vector τ 2 x,β,, x n,β ) To compute the coefficients in the basis d n+,, d 2n, we multiply the matrix by the transpose of this vector, obtaining τ 2 x,β,, x n,β ) Since is random everything else given to has been distributed independently of ), these coefficients are uniformly random except with probability 2/q namely, the cases τ 2 defined in Subspace problem is zero, χ,, χ n ) defined in Equation 7 is the zero vector) from Lemma Therefore, in this case, B 0 has properly simulated Game 0 This allows B 0 to leverage s advantage ϵ between Game Real and Game 0 to achieve an advantage ϵ 2 q against the Subspace assumption in G, namely dv DS B 0 λ) = ϵ 2 q Lemma 9 Suppose that there exists an adversary where dv Game κ λ) dv Gameκ λ) = ϵ Then there exists an algorithm B κ such that dv DS2 B κ λ) = ϵ 6/q, with K = n and N = 2n Proof B κ is given D := G; g b,, gb n, gb 2,, gb 2n 2, U,, U n, µ 2 ) along with T,, T n We require that B κ decides whether T,, T n are distributed as g τ b 2,, g τ b n 2 or g τ b +τ 2b n+ 2,, g τ b n+τ 2 b 2n 2 B κ simulates Game κ or Game κ with, depending on the distribution of T,, T n To compute the public parameters and master secret key, B κ chooses a random invertible matrix Z n n q We then implicitly set dual orthonormal bases D, D to: d := b,, d n := b n, d n+,, d 2n ) := b n+,, b 2n ), d := b,, d n := b n, d n+,, d 2n) := b n+,, b 2n) ) We note that D, D are properly distributed, and reveal no information about B κ chooses random value α Z q and compute eg, g 2 ) αd d B can gives the public parameters PP := G; gt α, g d,, gdn The master key MK := α, g d 2,, gd n 2 20
22 is known to B κ, which allows B κ to respond to all of s key queries by calling the normal key generation algorithm Since B κ also knows g d n+ 2,, g d 2n 2, it can easily produce semi-functional keys To answer the first κ key queries that makes, B κ runs the semi-functional key generation algorithm to produce semi-functional keys and gives these to To answer the κ-th key query for v κ := v,, v n ), B κ responds with: SK vκ := g b 2 )α T v T v n n This implicitly sets r := τ If T,, T n are equal to g τ b 2,, g τ b n 2, then this is a properly distributed normal key If T,, T n are equal to g τ b +τ 2b n+ 2,, g τ b n+τ 2 b 2n 2, then this is a semifunctional key, whose exponent vector includes τ 2 v b n+ + + v n b 2n) 8) as its component in the span of b n+,, b 2n To respond to the remaining key queries, B κ simply runs the normal key generation algorithm t some point, sends B κ two pairs m 0, x 0 ) and m, x ) B κ chooses a random bit β 0, and encrypts m β under x β := x,β,, x n,β ) as follows: ) α C := m β eu, g b 2 ) = mβ gt α ) z, C 0 := U x,β U x n,β n, where B κ has implicitly set z := µ The semi-functional part of the exponent vector here is: µ 2 x,β b n+ + + x n,β b 2n) 9) We observe that if x β v κ = 0 which is not allowed), then vectors 8 and 9 would be orthogonal, resulting in a nominally semi-functional ciphertext and key pair It gives the ciphertext C, C 0 ) to We now argue that since x β v κ 0, in s view the vectors 8 and 9 are distributed as random vectors in the spans of d n+,, d 2n and d n+,, d 2n respectively To see this, we take the coefficients of vectors 8 and 9 in terms of the bases b n+,, b 2n and b n+,, b 2n respectively and translate them into coefficients in terms of the bases d n+,, d 2n and d n+,, d 2n Using the change of basis matrix, we obtain the new coefficients in vector form) as: τ 2 v,, v n ), µ 2 x,β,, x n,β ) Since the distribution of everything given to except for the κ-th key and the challenge ciphertext is independent of the random matrix and x β v κ 0, we can conclude that these coefficients are uniformly except with probability 4/q namely, the cases µ 2 or τ 2 defined in Subspace problem is zero, χ,, χ n ) or ν,, ν n ) defined in Equations 7 and 6 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case If T,, T n are equal to g τ b 2,, g τ b n 2, then the coefficients of the vector 9 are uniformly except with probability 2/q namely, the cases µ 2 defined in Subspace problem is zero, χ,, χ n ) defined in Equation 7 is the zero vector) from Lemma Thus, B κ has properly simulated Game κ in this case In summary, B κ has properly simulated either Game κ or Game κ for, depending on the distribution of T,, T n It can therefore leverage s advantage ϵ between these games to obtain an advantage ϵ 6/q against the Subspace assumption in G 2, namely dv DS2 B κ λ) = ϵ 6/q 2
Shorter IBE and Signatures via Asymmetric Pairings
Shorter IBE and Signatures via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationTools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Allison Lewko The University of Texas at Austin alewko@csutexasedu Abstract In this paper, we explore a general
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationUnbounded HIBE and Attribute-Based Encryption
Unbounded HIBE and ttribute-based Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work, we present
More informationAnonymous and Adaptively Secure Revocable IBE with Constant-Size Public Parameters
1 nonymous and daptively Secure Revocable IBE with Constant-Size Public Parameters Jie Chen, Hoon Wei Lim, San Ling, Le Su and Huaxiong Wang arxiv:1210.6441v1 [cs.cr] 24 Oct 2012 bstract In Identity-Based
More informationNew Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu mit Sahai UCL sahai@cs.ucla.edu
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko 1, Tatsuaki Okamoto 2, mit Sahai 3, Katsuyuki Takashima 4, and Brent Waters 5 1 University
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman CWI and Universiteit Leiden freeman@cwi.nl Abstract. We develop an abstract framework that
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationFunction-Hiding Inner Product Encryption
Function-Hiding Inner Product Encryption Allison Bishop Columbia University allison@cs.columbia.edu Abhishek Jain Johns Hopkins University abhishek@cs.jhu.edu Lucas Kowalczyk Columbia University luke@cs.columbia.edu
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationOn the (Im)possibility of Projecting Property in Prime-Order Setting
On the (Im)possibility of Projecting Property in Prime-Order Setting Jae Hong Seo Department of Mathematics, Myongji University, Yongin, Republic of Korea jaehongseo@mju.ac.r Abstract. Projecting bilinear
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationLeakage-resilient Attribute-based Encryptions with Fast Decryption: Model, Analysis and Construction
Leakage-resilient ttribute-based Encryptions with Fast Decryption: Model, nalysis and Construction Mingwu Zhang,, Wei Shi, Chunzhi Wang, Zhenhua Chen,Yi Mu May 1, 2013 bstract Traditionally, in attribute-based
More informationPROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED
PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationFunctional Encryption for Inner Product Predicates from Learning with Errors
Functional Encryption for Inner Product Predicates from Learning with Errors Shweta Agrawal University of California, Los Angeles shweta@cs.ucla.edu Vinod Vaikuntanathan University of Toronto vinodv@cs.toronto.edu
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationA Profitable Sub-Prime Loan: Obtaining the Advantages of Composite Order in Prime-Order Bilinear Groups
Full version of an extended abstract published in Proceedings of PKC 2015, Springer-Verlag, 2015. Available from the IACR Cryptology eprint Archive as Report 2013/300. A Profitable Sub-Prime Loan: Obtaining
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationContribution to functional encryption through encodings
University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2016 Contribution to functional encryption through encodings Jongkil
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationCiphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations
Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations Hua Deng a, Qianhong Wu* b, Bo Qin c, Josep Domingo-Ferrer d, Lei Zhang
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual
More informationCiphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization
Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters University of Texas at Austin bwaters@csutexasedu Abstract We present a new methodology
More informationLimitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures
Limitations on Transformations from Composite-Order to Prime-Order Groups: The Case of Round-Optimal Blind Signatures Sarah Meiklejohn (UC San Diego) Hovav Shacham (UC San Diego) David Mandell Freeman
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationAttribute-Based Encryption Schemes with Constant-Size Ciphertexts
Attribute-Based Encryption Schemes with Constant-Size Ciphertexts Nuttapong Attrapadung 1, Javier Herranz 2, Fabien Laguillaume 3, Benoît Libert 4, Elie de Panafieu 5, and Carla Ràfols 2 1 Research Center
More informationRevocable Identity-Based Encryption from Lattices
Revocable Identity-Based Encryption from Lattices Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Khoa Nguyen Nanyang Technological University, Singapore s080001@e.ntu.edu.sg {hoonwei,lingsan,hxwang}@ntu.edu.sg
More informationInstantiating the Dual System Encryption Methodology in Bilinear Groups
Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters Motivation classical public key cryptography: Alice Bob Eve Motivation functional encryption:
More informationNew Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption
New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationGeneric Constructions for Chosen-Ciphertext Secure Attribute Based Encryption
Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption Shota Yamada 1, Nuttapong Attrapadung 2, Goichiro Hanaoka 2 and Noboru Kunihiro 1 1 The University of Tokyo. {yamada@it., kunihiro@}
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps
nbounded Inner Product Functional Encryption from Bilinear Maps Junichi Tomida and Katsuyuki Takashima 2 NTT tomida.junichi@lab.ntt.co.jp 2 Mitubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationDecentralizing Inner-Product Functional Encryption
Decentralizing Inner-Product Functional Encryption Michel bdalla 1,2, Fabrice Benhamouda 3, Markulf Kohlweiss 4, and Hendrik Waldner 4 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationarxiv: v1 [cs.cr] 24 Feb 2017
Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate
More informationA Study of Pair Encodings: Predicate Encryption in Prime Order Groups
A Study of Pair Encodings: Predicate Encryption in Prime Order Groups Shashank Agrawal 1 and Melissa Chase 2 1 University of Illinois Urbana-Champaign sagrawl2@illinois.edu 2 Microsoft Research melissac@microsoft.com
More informationFunctional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings
Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings Jongkil Kim, Willy Susilo, Fuchun Guo, and Man Ho Au 2 Centre for Computer and Information Security Research School
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationShorter Quasi-Adaptive NIZK Proofs for Linear Subspaces
Shorter Quasi-Adaptive NIZK Proofs for Linear Subspaces Charanjit S. Jutla 1 and Arnab Roy 2 1 IBM T. J. Watson Research Center Yorktown Heights, NY 10598, USA csjutla@us.ibm.com 2 Fujitsu Laboratories
More information