Hierarchical identity-based encryption
|
|
- Stella Russell
- 5 years ago
- Views:
Transcription
1 Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
2 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
3 Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
4 Identity-based encryption Goal: Allow senders to encrypt messages based on the receiver s identity. Key distribution center Key Setup msk Key Derivation ID mpk sk ID ID, M Encryption C Decryption M Sender eceiver ID Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
5 Hierarchical identity-based encryption (HIBE) oot I Level 1 1 I Level 2 2 I 3 Level 3 ID = (I 1,I 2,I 3 ) Identities are vectors of the form (id 1,..., id L ), where L is the HIBE depth. Hierarchical key derivation Users with (id 1, id 2 ) can derive keys for any user whose identity is of the form (id 1, id 1, *,..., *) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
6 HIBE key derivation oot oot msk Key Derivation ID 1 sk ID1 Level 1 ID 1 Key Derivation ID 2 sk (ID1,ID2) ID 2 Level 2 mpk, (ID 1,ID 2 ), M Sender Decryption C Encryption M Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
7 Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
8 Hierarchical Identity-based encryption (HIBE) Identity at level 1 l L is a vector id = (id 1,..., id l ) ID l. oot identity is represented by ε. An HIBE scheme is defined by four algorithms: Setup(1 k, L): Outputs a master public key mpk for a HIBE of depth L along with master secret key msk. KeyDer(sk (id 1,...,id l ), id l+1 ): Uses the secret key sk for identity id = (id 1,..., id l ) to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id = (id 1,..., id l ) and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id for identity id = (id 1,..., id l ) to decrypt the ciphertext C and get back a message m. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
9 HIBE security notions Just as in the IBE case, we can consider different attacks (adaptive-identity vs. selective-identity) and goals (indistinguishability and anonymity) for HIBE schemes. Indistinguishability The adversary s goal is to distinguish Enc(mpk, id, m0 ) from Enc(mpk, id, m1 ) for values id, m0,m 1 of its choice. Anonymity The adversary s goal is to distinguish Enc(mpk, id 0, m ) from Enc(mpk, id 1, m ) for values id 0, id 1, m of its choice. Adaptive-identity chosen-plaintext attacks In this model, the adversary is allowed to choose the challenge identity values at the time that it asks the challenge query. Selective-identity chosen-plaintext attacks In this model, the adversary has to choose the challenge identity values before seeing the public key. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
10 IND-HID-CPA: Indistinguishability under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ind-cpa-β HIBE,L,A (k) proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] [ ] Adv ind-cpa HIBE,L,A (k) = Pr Exp ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
11 IND-HID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) Game Exp ind-cpa HIBE,L,A (k) β {0, 1} (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] Adv ind-cpa HIBE,L,A (k) = 2 Pr Exp ind-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
12 IND-sHID-CPA: Indistinguishability under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. proc Initialize(k, L, id ) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp s-ind-cpa-β HIBE,L,A (k) proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ind-cpa HIBE,L,A (k) = Pr Exp s-ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
13 IND-sHID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. Game Exp s-ind-cpa[l] HIBE proc Initialize(k, L, id ) β {0, 1} (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] Adv s-ind-cpa HIBE,L,A (k) = 2 Pr Exp s-ind-cpa[l] HIBE = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
14 ANO-HID-CPA: Anonymity under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ano-cpa-β HIBE,L,A (k) proc L(id 0, id 1, m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-HID-CPA security of HIBE is defined as [ ] [ ] Adv ano-cpa HIBE,L,A (k) = Pr Exp ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
15 ANO-sHID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-sHID-CPA security of HIBE. Game Exp s-ano-cpa-β HIBE,L,A (k) proc Initialize(k, L, id 0, id 1) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ano-cpa HIBE,L,A (k) = Pr Exp s-ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
16 Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
17 Boneh-Boyen HIBE scheme (BB) Setup(1 k, L): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 (H id ) l+1 rl+1 i,0 H i,1 sk l+1 g r l+1 return (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i ( H id i i,0 H ) t i,1 K ê(a, B) t C 3 m K return (C 1, (C 2,1,..., C 2,l ), C 3) Dec(sk, C): parse sk (id1,...,id l ) as (sk 0,..., sk l ) parse C as (C 1, C 2,1,..., C 2,l, C 3) K ê(sk 0, C l 1)/ i=1 ê(sk i, C 2,i ) m C 3/K return m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
18 Additional comments about the BB HIBE scheme The secret key sk (id1,...,id l ) = (sk 0,..., sk l ) for identity (id 1,..., id l ) has the form: sk 0 = g ab l i=1 (Hid i i,0 H i,1) r i sk i = g r i for i = 1,..., l The secret key outputted by KeyDer can be re-randomized via andomize(sk (id1,...,id l )): parse sk (id1,...,id l ) as (sk 0,..., sk l ) for i = 1,..., l do r i Z p sk i sk i g r i sk 0 sk 0 l i=1 (Hid i i,0 H i,1) r i return (sk 0, sk 1,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
19 Correctness of BB HIBE scheme For a valid ciphertext, we have: K = ê(sk 0, C 1 )/ l i=1 ê(sk i, C 2,i ) = ê(g ab l i=1 (Hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g ab, g t ) l i=1 ê((hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g a, g b ) t = ê(a, B) t = K Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
20 Boneh-Boyen-Goh HIBE scheme (BBG-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i G for i = 1,..., L mpk (g 1, g 2, h 1, u 0,..., u L ) sk 0 h 2 For i = 1,..., L + 1 do sk i 1 msk (sk 0, sk 1,..., sk L, sk L+1 ) eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L, sk L+1 ) r l+1 Z p sk 0 sk 0 sk id l+1 l+1 (u l ) 0 i=1 uid i rl+1 i For i = l + 2,..., L do sk i sk i u r l+1 i sk L+1 sk L+1 g r l+1 1 eturn (sk 0, sk l+2,..., sk L, sk L+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g1 r C 2 ( u l ) 0 i=1 uid i r i C 3 m ê(h 1, g 2) r eturn (C 1, C 2, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L+1 ) Parse C as (C 1, C 2, C 3) m C 3 ê(c 2,sk L+1 ) ê(c 1,sk 0 ) eturn m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
21 Waters HIBE scheme (Wa-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i,j G for i = 1,..., L; j = 0... n mpk (g 1, g 2, h 1, u 1,0,..., u L,n ) msk h 2 eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 F l+1 (id l+1 ) r l+1 sk l+1 g r l+1 1 eturn (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g r 1 For i = 1,..., l do C 2,i F i (id i ) r C 3 m ê(h 1, g 2) r eturn (C 1, C 2,1,..., C 2,l, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) Parse C as (C 1, C 2,1,..., C 2,l, C 3) m C 3 eturn m li=1 ê(sk i,c 2,i ) ê(c 1,sk 0 ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
22 Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
23 BDDH security of BB HIBE scheme Theorem Let BB refer to the Boneh-Boyen HIBE scheme described above, G be a pairing parameter generator, and A be an adversary against IND-sHID-CPA security of BB, making at most a single query to the L procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv s-ind-cpa BB,L,A (k) 2 Advbddh (B). G,k Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
24 Security proof of BB scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we omit the pairing parameter generation in Initialize. We assume that id has length L. j denotes the smallest index such that id j id j in L procedure. G 0 : This game is the real attack game against BB. G 1 : We change the computation of H i,b so that H id i i,0 H i,1 = g α i for a random α i. G 2 : We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 3 : We change the simulation of the L procedure so that C 2,i = C 1 α i. That is, we don t need to know t to compute it. G 4 : We change the simulation of the L procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
25 Game G 0 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 0 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
26 Game G 1 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do α i α i Z p ; H i,0 B α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 1 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
27 Game G 2 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 2 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do Z p ; sk i g r i r j r i Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
28 Game G 3 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 3 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
29 Game G 4 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 4 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K G C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
30 Probability analysis Claim 1 Adv s-ind-cpa BB,L,A (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
31 Proof of Claims 1, 2, 4, and 6 Claim 1 follows the security definition. Claim 2 follows from the fact that H i,b is still uniformly distributed in G. Claim 4 follows from the fact that C 2 C 2,i = (H id i i,0 H i,1) t = ((B α i ) id i g α i B id i α i ) t = g α i t = C 1 α i is still being correctly computed. Claim 6 follows from the fact that A has no information about β in G 4. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
32 Proof of Claim 3 Claim 3 follows from the fact that (sk 0,..., sk l ) is still a valid random secret key for user id = (id 1,..., id l ), where r j = r j a/(α j (id j id j )) is the randomness being used to generate sk j. sk j = g r j = g r j a/(α j (id j id j )) = g r j g a/(α j (id j id j )) = g r j A 1/(α j (id j id j )) sk 0 = g ab (H id j j,0 H j,1) r j j 1 i=1 (Hid i i,0 H i,1) r i l i=j+1 (Hid i i,0 H i,1) r i = g ab ((B α j ) id j g α j B id j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab ((g bα j ) id j g α j g bid j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab (g bα j (id j bid j ) g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab g ab (g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
33 Proof of Claim 5 In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. To simulate procedure Initialize, B sets H i,0 = B α i and H i,1 = g α i B id i α i for random α i, α i and returns mpk = (g, A, B, H 1,0,..., H L,1 ) as the public key. When simulating procedure L, B sets C 1 = C, C 2,i = C 1 α i, and K = Z. B simulates procedures KeyDer and Finalize exactly as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to A. That is, Pr [ G A 3 = true ] = Pr [ Exp bddh-0 G,k (B) = true ]. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to A. That is, Pr [ G A 4 = true ] = Pr [ Exp bddh-1 G,k (B) = true ]. The claim follows. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, / 33
Searchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationFrom Selective to Full Security: Semi-Generic Transformations in the Standard Model
From Selective to Full Security: Semi-Generic Transformations in the Standard Model Michel Abdalla 1, Dario Fiore 2, and Vadim Lyubashevsky 1 1 Département d Informatique, École normale supérieure, France.
More informationSearchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
An extended abstract of this paper appears in Victor Shoup, editor, Advances in Cryptology CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, pages 205 222, Santa Barbara, California, August
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More informationIdentity Based Key Encapsulation with Wildcards
Identity Based Key Encapsulation with Wildcards James Birkett 1, Alexander W. Dent 1, Gregory Neven 2, and Jacob Schuldt 1 1 Information Security Group, Royal Holloway, University of London, Egham, TW20
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationOutsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts elly Fazio 1,2 and Irippuge Milinda Perera 2 1 The City College of CUY fazio@cs.ccny.cuny.edu 2 The Graduate Center of CUY {nfazio,iperera}@gc.cuny.edu
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationPublic Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time Yi-Ru Liu, Wen-Guey Tzeng Department of Computer Science National Chiao Tung University Hsinchu, Taiwan 30050 Email:
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationIdentity-based Hierarchical Key-insulated Encryption without Random Oracles
Identity-based Hierarchica Key-insuated Encryption without Random Oraces Yohei Watanabe 1,3 Junji Shikata 1,2 1 Graduate Schoo of Environment and Information Sciences, YNU, Japan 2 Institute of Advanced
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationDirect Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles
Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles Eike Kiltz David Galindo 2 August 4, 2009 Cryptology and Information Security Research Theme CWI Amsterdam, The Netherlands
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationHierarchical Functional Encryption
Hierarchical Functional Encryption Zvika Brakerski Gil Segev Abstract Functional encryption provides fine-grained access control for encrypted data, allowing each user to learn only specific functions
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationBetter Security for Functional Encryption for Inner Product Evaluations
Better Security for Functional Encryption for Inner Product Evaluations Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Département d Informatique, École normale supérieure {michel.abdalla,florian.bourse,angelo.decaro,david.pointcheval}@ens.fr
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationTheoretical Computer Science. Direct chosen-ciphertext secure identity-based key encapsulation without random oracles
Theoretical Computer Science 40 (2009) 5093 5 Contents lists available at ScienceDirect Theoretical Computer Science journal homepage: www.elsevier.com/locate/tcs Direct chosen-ciphertext secure identity-based
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationAnonymous Constant-Size Ciphertext HIBE From Asymmetric Pairings
Anonymous Constant-Size Ciphertext HIBE From Asymmetric Pairings Somindu C. Ramanna and Palash Sarkar Applied Statistics nit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. e-mail: {somindu
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationLecture 4: Perfect Secrecy: Several Equivalent Formulations
Cryptology 18 th August 015 Lecture 4: Perfect Secrecy: Several Equivalent Formulations Instructor: Goutam Paul Scribe: Arka Rai Choudhuri 1 Notation We shall be using the following notation for this lecture,
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationShift Cipher. For 0 i 25, the ith plaintext character is. E.g. k = 3
Shift Cipher For 0 i 25, the ith plaintext character is shifted by some value 0 k 25 (mod 26). E.g. k = 3 a b c d e f g h i j k l m n o p q r s t u v w x y z D E F G H I J K L M N O P Q R S T U V W X Y
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationSimulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters IBE Scheme
Simulation without the Artificial Abort: Simplified Proof and Improved Concrete Security for Waters IBE Scheme Mihir Bellare and Thomas Ristenpart Dept. of Computer Science & Engineering 0404, University
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationPrivacy-aware Attribute-based Encryption with User Accountability
Privacy-aware Attribute-based Encryption with User Accountability Jin Li 1, Kui Ren 1, Bo Zhu 2, and Zhiguo Wan 3 1 Department of ECE, Illinois Institute of Technology, USA {jinli,kren}@ece.iit.edu 2 Canada
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationOn (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)
On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique) Sanjit Chatterjee and Palash Sarkar Applied Statistics Unit
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationEfficient Lattice (H)IBE in the Standard Model
Efficient Lattice (H)IBE in the Standard Model Shweta Agrawal University of Texas, Austin Dan Boneh Stanford University Xavier Boyen PARC Abstract We construct an efficient identity based encryption system
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko 1, Tatsuaki Okamoto 2, mit Sahai 3, Katsuyuki Takashima 4, and Brent Waters 5 1 University
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationarxiv: v1 [cs.cr] 24 Feb 2017
Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate
More informationDecentralizing Inner-Product Functional Encryption
Decentralizing Inner-Product Functional Encryption Michel bdalla 1,2, Fabrice Benhamouda 3, Markulf Kohlweiss 4, and Hendrik Waldner 4 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu mit Sahai UCL sahai@cs.ucla.edu
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationSYMMETRIC ENCRYPTION. Syntax. Example: OTP. Correct decryption requirement. A symmetric encryption scheme SE = (K, E, D) consists of three algorithms:
Syntax symmetric encryption scheme = (K, E, D) consists of three algorithms: SYMMETRIC ENCRYPTION K is randomized E can be randomized or stateful D is deterministic 1/ 116 2/ 116 Correct decryption requirement
More informationUnbounded HIBE and Attribute-Based Encryption
Unbounded HIBE and ttribute-based Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work, we present
More information