Pairing-free equality test over short ciphertexts
|
|
- Meredith Powell
- 6 years ago
- Views:
Transcription
1 Research Article Pairing-free equality test over short ciphertexts International Journal of Distributed Sensor Networks 217, Vol. 13(6) Ó The Author(s) 217 DOI: / journals.sagepub.com/home/ijdsn Huijun Zhu, Licheng Wang, Haseeb Ahmad Xinxin Niu Abstract The concept of public key encryption with equality test was introduced at CT-RSA 21. It has been used in many fields, especially in cloud storage. However, the previous schemes do not provide an effective authorization mechanism. To fill this gap, Ma et al. presented a public key encryption with equality test supporting flexible authorization based on the bilinear pairings. Recently, Lin et al. presented a pairing-free scheme that employs quadratic curve to perform the equality tests, which can achieve a trade-off between computational cost storage space. In this article, we show that the equality test can be better performed by using a straight line, rather than a quadratic curve. Moreover, we simplify the encryption algorithm, as well as reduce the ciphertext storage space. Keywords Public key encryption with equality test, cloud storage, flexible authorization Date received: 11 October 216; accepted: 16 May 217 Academic editor: Shancang Li Introduction Searchable encryption (SE) scheme, presented in 24 by Boneh et al., 1 allows the server to check whether some messages contain specific keyword without retrieving entire messages. Subsequently, scholastic community presented many improved schemes. 2 8 In 27, Bellare ONeill 9 conceptualized deterministic encryption (DE) for public-key encryption schemes, in which the encryption algorithm is executed in a deterministic manner. Later, DE was uplifted by Bellare et al. 1 Boldyreva ONeill 11 But, DE could not gain immense appreciations due to its deterministic approach. With the development of cloud computing outsourcing, traditional encryption schemes cannot provide the solutions for many applications such as splitting of database. To hle the prescribed issue, Yang et al. 12 proposed the notion of public key encryption with equality test (PKEwET) at CT-RSA 21. This effective mechanism allows anyone to check whether two ciphertexts contain the same message without decryption. Tang 13 intensified PKEwET with finegrained authorization (FG-PKEwET), which authorizes two users to a semi-trusted proxy, who can perform the equality test on their ciphertexts. Later, an extension of FG-PKEwET was also put forward by Tang. 14 Besides, in the same year, Tang 15 presented a new primitive called all-or-nothing PKEwET (AoN- PKEwET), which authorizes the specific users to perform a plaintext equality test from their ciphertexts. Another perspective in the form of identity-based encryption with equality test (IBEwET) was proposed by Ma 16 that combines the concepts of PKEwET identity-based encryption. The privacy of users is an essential context that necessitates to be considered while designing an applied State Key Laboratory of Networking Switching Technology, Beijing University of Posts Telecommunications, Beijing, P.R. China Corresponding author: Licheng Wang, State Key Laboratory of Networking Switching Technology, Beijing University of Posts Telecommunications, Beijing 1876, P.R. China. wanglc212@126.com Creative Commons CC-BY: This article is distributed under the terms of the Creative Commons Attribution 4. License ( which permits any use, reproduction distribution of the work without further permission provided the original work is attributed as specified on the SAGE Open Access pages ( openaccess.htm).
2 2 International Journal of Distributed Sensor Networks protocol. Therefore, Ma et al. 17 strengthened the concept of PKEwET by introducing flexible authorization, which is termed as PKEwET-FA. In his scheme, the author implemented different authorization policies along with a corresponding trapdoor for each authorization to perform the test algorithm. For instance, as described in Ma et al., 17 suppose Alice is a ciphertext receiver, then four types of authorization with different granularity can be described as follows: Type 1. User-level authorization: All ciphertexts of Alice can be compared with all ciphertexts of any other receiver. Type 2. Ciphertext-level authorization: A specific ciphertext of Alice can be compared with a specific ciphertext of any other receiver. Type 3. User-specific ciphertext-level authorization: A specific ciphertext of Alice can be only compared with a specific ciphertext of a specific receiver, for example, Bob, but could not be compared with any ciphertext of any receiver other than Bob. Type 4. Ciphertext-to-user (or user-to-ciphertext) level authorization: A specific ciphertext of Alice can be compared with all ciphertexts of any other receiver (or vice versa). Recently, Lin et al. 18 proposed a new PKEwET-FA scheme, in which the equality tests are performed without bilinear pairing. More precisely, the author utilized the message for generating a quadratic curve then used Shamir s secret sharing scheme to perform the equality test. Although it gets rid of the dependence on bilinear pairings, however, the computational cost of this scheme is high due to the involvement of quadratic curve. Motivation contribution In this article, we improve the scheme presented in Lin et al. 18 by replacing the quadratic curve with the straight line to reduce the computational cost. Moreover, we improve the scheme by simplifying the encryption algorithm while reducing the computation of the modular exponentiation. Comparing with Lin et al., 18 our proposed scheme is more efficient in terms of the equality test as well as with respect to encryption decryption. Furthermore, the storage space of ciphertexts is also smaller than that of Lin et al. 18 We compare the presented scheme with the previous work the result shows that our scheme is more efficient robust. Organization The rest of this article is organized as follows. In section Preliminaries, Shamir s secret sharing scheme the related security model are discussed. In section The proposed scheme, we present our scheme four types of authorization prove the validity of the proposed scheme. In section Security, we provide the security proof of presented scheme. In section Performances analysis, a detailed analysis of the presented scheme comparisons with other schemes are presented. Finally, concluding remarks are given in section Conclusion. Preliminaries Definitions Definition 1. Decision Diffie-Hellman (DDH) Problem: Let G be a group of large prime order q, given two 4- tuples (g, g a, g b, g ab ) (g, g a, g b, g c ) 2 G with g 6¼ 1, where a, b, c 2 Z q. A DDH algorithm A for a group G is a probabilistic polynomial time algorithm satisfying jpr½a(g, G, g a, g b, g ab ) = True Š Pr½A(g, G, g a, g b, g c )= True j.e We say that the group G satisfies the DDH assumption if there is no DDH algorithm for G. Definition 2 (Correctness). If a PKEwET FA scheme is correct, for any sp Setup(k), (pk j, sk j ) KeyGen(sp, i), the following conditions must be satisfied For any M 2 M, Decrypt(Encrypt(M, pk, sk =M always holds. 2. For any ciphertexts c i c j, if Decrypt(c i, sk =Decrypt(c j, sk j ) 6¼?. (a) Type 1 Authorization. Given Aut 1 (sk =td 1, i Aut 1 (sk j )=td 1, j, it holds that Test 1 (c i, td 1, i, c j, td 1, j )=1 (b) Type 2 Authorization. Given Aut 2 (sk i, c =td 2, i, ci Aut 2 (sk j, c j )=td 2, j, cj, it holds that Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1 (c) Type-3 Authorization. Given Aut 3 (sk i, c i, c j )= td 3, i, ci, j, c j Aut 3 (sk j, c j, c =td 3, j, cj, i, c i, it holds that Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i )=1 (d) Type 4 Authorization. Given Aut 4 (sk i, c =td 4, i, ci Aut 4 (sk j )=td 4, j, it holds that Test 4 (c i, td 4, i, ci, c j, td 4, j )=1
3 Zhu et al For any ciphertexts c i c j, if Decrypt(c i, sk 6¼ Decrypt(c j, sk j ) (a) Type 1 Authorization. Given Aut 1 (sk = td 1, i Aut 1 (sk j )=td 1, j, it holds that Pr½Test 1 (c i, td 1, i, c j, td 1, j )=1Š is negligible (b) Type 2 Authorization. Given Aut 2 (sk i, c = td 2, i, ci Aut 2 (sk j, c j )=td 2, j, cj, it holds that Pr½Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1Š is negligible (c) Type 3 Authorization. Given Aut 3 (sk i, c i, pk j, c j ) =td 3, i, ci, j, c j Aut 3 (sk j, c j, pk i, c =td 3, j, cj, i, c i, it holds that Pr½Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i )=1Š is negligible (d) Type 4 Authorization. Given Aut 4 (sk i, c = td 4, i, ci Aut 4 (sk j )=td 4, j, it holds that is negligible. Pr½Test 4 (c i, td 4, i, ci, c j, td 4, j )=1Š Shamir s secret sharing scheme Shamir s (t, n)-threshold secret sharing scheme is based on Lagrange interpolation polynomial. A detailed introduction is described as follows. Given t distinct points (x i, f (x ), where f (x) is a polynomial of degree less than t, thenf (x) is determined as follows f (x)= Xt Y t (x x j ) (x i x j ) i = 1 j = 1, j6¼i Shamir s scheme is defined for a secret s 2 Z p,bysetting a = s, choosing a 1, a 2,..., a t 1 2 Z q. For all 1 x i q, 1 i n, the trusted party computes f (x, where f (x)= P t 1 k = a kx k. The shares (x i, f (x ) are distributed to n distinct parties. Since the secret is a constant term s = a = f (), hence, the secret can be recovered from any t shares (x i, f (x ) as follows Security models s = f ()= Xt i = 1 f (x Y t j = 1, j6¼i x i (x j x We recall the security models of PKEwET-FA defined in Ma et al. 17 It consists of six algorithms: Setup, KeyGen, Encrypt, Decrypt, Authorization a Test-a (a = 1, 2, 3, 4). Suppose that the system has a label i for user u i. The setup algorithm takes the security parameter as input outputs system parameters sp. The KeyGen algorithm takes as inputs the system parameters, a user i, outputs the public key private key of user i. The encryption algorithm takes the given public key, a message M, outputs ciphertext c i. The decryption algorithm takes the private key sk i, a ciphertext c i, outputs a message M or?. The authorization algorithm takes as inputs the private key sk i other required information outputs the trapdoor. The test algorithm takes as inputs two ciphertexts, the trapdoors, outputs 1 for the same message or for otherwise. Because the Type 4 authorization is a combination of Type 1 Type 2 authorization, we leave out Type 4 authorization queries for simplicity only allow Type-a (a = 1, 2, 3) authorization queries to the adversary in the security games. Two types of adversaries for the security of PKEwET-FA are described as follows: 1. Type I adversary. For Type-a (a = 1, 2, 3) authorization, with Type-a trapdoor information, the attacker cannot recover the plaintext from the challenge ciphertext. 2. Type II adversary. For Type-a (a =1, 2, 3) authorization, without Type-a trapdoor information, the adversary cannot decide c t is the encryption of which message. First, we define one-way against chosen-ciphertext attack (OW-CCA) security for Type-a (a = 1, 2, 3) authorization against Type I adversary in PKEwET- FA as follows. Game 1. Suppose that A 1 is a Type I adversary S is the challenger. The target receiver has label t(1 t n). The game between A 1 S is presented in Figure 1. Here, O 1 (i)= D KeyGen(sp,i), O 2 (i,c = D dec(sk i,c, O 3 (i, )= D ET Auth(sk i, ), O 6 =O 3, but O 4 (i)= O 1(i) i 6¼ t? otherwise O 5 (i, c = O 2(i, c c i 6¼ c? otherwise The advantage of A 1 in the aforementioned game is defined as follows OW CCA, Type a AdvPKEwET FA, A 1 (k)=pr½m t = Mt Š(a = 1, 2, 3) Definition 3. For Type a(a = 1, 2, 3) authorization, a PKEwET-FA scheme is OW-CCA secure if for all OW- OW CCA, Type a CCA adversaries, AdvPKEwET FA, A 1 (k) is negligible in the security parameter k.
4 4 International Journal of Distributed Sensor Networks The advantage of A 2 in the aforementioned game is defined as follows IND CCA, Type a AdvPKEwET FA, A 2 (k)=jpr½b = b Š 1=2j(a = 1, 2, 3) Definition 4. For Type a(a = 1, 2, 3) authorization, a PKEwET-FA scheme is IND-CCA secure if for all OW CCA, Type a IND-CCA adversaries, AdvPKEwET FA, A 2 (k) is negligible in the security parameter k. Figure 1. The game between A 1 S. Notice. The aim of our scheme is to perform equality test for the messages corresponding to the ciphertexts of different users, which can be used in multi-user settings in a public key encryption. The proposed scheme Here, we describe our scheme in detail. Setup(k): Let k be a security parameter, M2f, 1g k, the algorithm outputs system parameters sp as follows: 1. Let G be a group of prime order q, g be a rom generator of G. 2. Select hash functions: H 1 : G!f, 1g k, H 2 : G 4! Z 4 q, H 3, H 4, H 5, H 6 : f, 1g k! Z q. Figure 2. The game between A 2 S. Next, we define the indistinguishable against chosen-ciphertext attacks (IND-CCA) security for Type-a (a = 1, 2, 3) authorization against Type II adversary in PKEwET-FA as follows. Game 2. Suppose that A 2 is a Type II adversary S is the challenger. The target receiver has label t(1 t n). The game between A 2 S is presented in Figure 2. Here, O 1 (i) = D KeyGen(i), O 2 (i, c = D dec(sk i, c, O 3 (i, )= D ET Auth(sk i, ), O 6 = O 3 (a = 1, i 6¼ t) (a = 2 or 3, c i 6¼ c ), but O 4 (i)= O 1(i) i 6¼ t? otherwise O 5 (i, c = O 2(i, c c 6¼ c? otherwise KeyGen(sp, i): This algorithm allocates a label for each user keeps a list of the users with (key, i). With the system parameters sp, it chooses x i, y i 2 Z q romly computes X i = g x i, Y i = g y i The user s key pair: (pk i, sk =((X i, Y, (x i, y ) Encrypt(M, pk : It takes public key pk i the message M 2f, 1g k as input outputs the ciphertext c i =(c i, 1, c i, 2, c i, 3 ) as follows: 1. Use H 3, H 4, H 5, H 6 to create two points p 1 =(H 3 (M), H 4 (M)), p 2 =(H 5 (M), H 6 (M)); 2. Use two points p 1, p 2 to construct a straight line f (x); 3. Choose x i, 1, x i, 2 2f, 1g l romly let f (x i, 1 )=y i, 1, f (x i, 2 )=y i, 2.Ifx i, 1 = or x i, 2 =, then takes x i, 1, x i, 2 2f, 1g l romly again. 4. Choose a rom number r 2 Zq, let c i, 1 = g r c i, 2 = M H 1 (Yi r ) c i, 3 =(x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 ) H 2 (Xi r, c i, 1, c i, 2 ) Decrypt(c, sk): Given sk i a ciphertext c i =(c i, 1, c i, 2, c i, 3 ), the algorithm decrypts as follows M c i, 2 H 1 (c y i i, 1 )
5 Zhu et al. 5 x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ) Then, it uses M to create f (x) by employing the same process as step (1) (2) of Encryption process. If both f (x i, 1 )=y i, 1 f (x i, 2 )=y i, 2 hold, the algorithm outputs M; otherwise, it outputs?. Suppose u i u j are two users in the system c i =(c i, 1, c i, 2, c i, 3 ) (resp., c j =(c j, 1, c j, 2, c j, 3 )) is a ciphertext of u i (resp., u j ). r i (resp., r j ) denotes a romness used in the generation of c i (resp. c j ). 1. Type 1 Authorization Auth 1 (sk : The algorithm outputs a trapdoor td (1, i) = x i. Test 1 (c i, td 1, i, c j, td 1, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 H 2 (c td 1, i i, 1, c i, 1, c i, 2 ) x j, 1 jjx j, 2 jjy j, 1 jjy j, 2 c j, 3 H 2 (c td 1, j j, 1, c j, 1, c j, 2 ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )): Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. 2. Type 2 Authorization Auth 2 (sk i, c : The algorithm computes a trapdoor td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ). Test 2 (c i, td 2, i, c j, td 2, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (2, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 td (2, j, cj ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )): Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. 3. Type 3 Authorization Auth 3 (sk i, c i, c j ): The algorithm computes a trapdoor as follows td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c j, 1 c i, 1. Test 3 (c i, td 3, i, c j, td 3, j ): It is performed as follows x i, 1 jjx i, 2 x j, 1 jjx j, 2 ½c i, 3 Š 2l 1 z i ½c j, 3 Š 2l 1 z j : Then, it employs the Lagrange interpolation coefficients to compute D i, 1 =(x i, 2 )=(x i, 2 x i, 1 ) (mod q), D i, 2 =(x i, 1 )=(x i, 1 x i, 2 ) (mod q), D j, 1 =(x j, 2 )= (x j, 2 x j, 1 ) (mod q), D j, 2 =(x j, 1 )=(x j, 1 x j, 2 ) (mod q). Finally, it tests whether or not V D i, 1 i, 1 V D j, 1 j, 1 = V D j, 2 j, 2 V D i, 2 i, 2 holds. If it is, it returns 1, otherwise. 4. Type 4 Authorization Auth 4 (sk i, c : The algorithm computes a trapdoor td (4, i, c = Aut 2 (sk i, c =H 2 (c x i i, 1, c i, 1, c i, 2 ). Aut 4 (sk j ): The algorithm outputs a trapdoor td (4, j) = Aut 1 (sk j )=x j Test 4 (c i, td 4, i, c j, td 4, j ): This algorithm performs as follows x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (4, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 H 2 (c td 4, j j, 1, c j, 1, c j, 2 ) f i (x) (q,(x i, 1, y i, 1 ), (x j, 1, y j, 1 )) f j (x) (q,(x i, 2, y i, 2 ), (x j, 2, y j, 2 )) Then, it outputs 1 if f i (x)=f j (x) holds, otherwise. Theorem 1. According to Definition 2, our proposed PKEwET FA scheme is correct. Proof. Here, we prove that our scheme satisfies the three conditions, as defined in Definition 2: 1. It is not difficult to check that the first condition is satisfied. 2. Considering the second condition, for any sp Setup(k),(pk i,sk KeyGen(sp,i),c i =(c i,1, c i,2,c i,3 )= Encrypt(M i,pk c j =(c j,1,c j,2,c j,3 ) =Encrypt(M j,pk j ), the following equalities hold. For any message M i (resp: M j ), the straight line f i (x)(resp:, f j (x)) is constructed by passing through two points (x i, 1, y i, 1 ), (x j, 1, y j, 1 )or(x i, 2, y i, 2 ), (x j, 2, y j, 2 ). If f i (x)=f j (x) (or f i ()=f j (), in Type 3 Authorization), we have M i = M j. Type 1 Authorization: With td (1, i) = x i td (1, j) = x j, we compute x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 x j, 1 jjx j, 2 jjy j, 1 jjy j, 2 c i, 3 H 2 (c td 1, i i, 1, c i, 1, c i, 2 ) c j, 3 H 2 (c td 1, j j, 1, c j, 1, c j, 2 ) Therefore, f i (x)=f j (x) holds for M i = M j. Type 2 Authorization: With td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ) td (2, j, cj ) = H 2 (c x j j, 1, c j, 1, c j, 2 ), we compute
6 6 International Journal of Distributed Sensor Networks x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (2, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 td (2, j, cj ) Therefore, f i (x)=f j (x) holds for M i = M j. Type 3 Authorization: With td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 )Š 2l 1, Z y j, 1 j, Z y j, 2 j ) where Z i = c j, 1 c i, 1, Z j = c i, 1 c j, 1,thenZ i = Z j = g r i, 1 + r j, 1 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 )Š 2l 1, Z y j, 1 i, Z y j, 2 with td (3, i, ci, j, c j ) td (3, j, cj, i, c, we compute x i, 1 jjx i, 2 x j, 1 jjx j, 2 ½c i, 3 Š 2l 1 z i ½c j, 3 Š 2l 1 z j V D i, 1 i, 1 V D j, 1 j, 1 = Zy i, 1D i, 1 i Z y j, 1D j, 1 i = Z y i, 1D i, 1 + y j, 1 D j, 1 i = Z f i() i V D j, 2 j, 2 V D i, 2 i, 2 = Zy j, 2D j, 2 i Z y i, 2D i, 2 i = Z y j, 2D j, 2 + y i, 2 D i, 2 i = Z f j() i Therefore, f i ()=f j () holds for M i = M j. Type 4 Authorization: With td (4, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ) td (4, j, cj ) = x j, we compute x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 c i, 3 td (4, i, c x j, 1 jjx i, 2 jjy i, 1 jjy j, 2 c j, 3 H 2 (c td 4, j j, 1, c j, 1, c j, 2 ) Therefore, f i (x)=f j (x) holds for M i = M j. 3. For the third condition, the following scenarios hold: Type 1 Authorization: If Test 1 (c i, td 1, i, c j, td 1, j )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j, we have Pr½Test 1 (c i, td 1, i, c j, td 1, j )=1Š is negligible. Type 2 Authorization: If Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j, we have Pr½Test 2 (c i, td 2, i, ci, c j, td 2, j, cj )=1Š is negligible. Type 3 Authorization: If Test 3 (c i, td 3, i, c i, j, c j, c j, td 3, j, cj, i, c i )=1, implies that V D 1 i, 1 V D 1 j, 1 = V D 2 j, 2 V D 2 i, 2 means f i()=f j (). Since Pr½f i ()=f j ()Š is negligible for M i 6¼ M j, we have Pr½Test 3 (c i, td 3, i, ci, j, c j, c j, td 3, j, cj, i, c i ) = 1Š is negligible. Type 4 Authorization: If Test 4 (c i, td 4, i, ci, c j, td 1, j )=1, implies that f i (x)=f j (x). Since Pr½f i (x)=f j (x)š is negligible for M i 6¼ M j,it concludes that Pr½Test 4 (c i,td 4,i,ci,c j,td 1,j )=1Š is negligible. Security Scheme security In this section, we prove the security of our proposed scheme. Theorem 2. Our proposed scheme is OW-CCA secure based on DDH assumption in the rom oracle model for Type a(a = 1, 2, 3) authorization against Type I adversary. Proof. Suppose A 1 is the Type I adversary breaking the cryptosystem. We build an algorithm B that solves the DDH problem in G by simulating an attack environment to such an adversary. Algorithm B is given with four-tuple (g, g a, g b, g c ) 2 G 4, its target is to test whether or not g ab = g c holds. During the course of the interaction, B records answers that adversary makes in response to all queries, additionally maintains a separate watch lists for H 1. Let A 1 chooses t as his target at the beginning of the game. 1. Setup. B creates system parameter sp =(G, g, H 1, H 2, H 3, H 4, H 5, H 6 ) by employing a security parameter k as in Setup provides sp to A 1, where H 1 is rom oracle controlled by B. Then, B generates n public/private key pairs (pk i, sk (1 i n) by algorithm KeyGen provides all pk i =(X i = g x i, Y i = g y i )toa 1 (if i = t, pk t =(X t = g x t, Y t = g a )) keeps the sk i =(x i, y (if i = t, then sk t =(x t ) he doesn t know the sk t corresponding to Y t ) as secret, where x i, y i, x t 2 Zq. 2. Phase 1. A 1 may issue queries to all rom oracles for polynomial number of times. The constraint is that t does not appear in the decryption key to retrieve the queries: H 1 query: Responding to A 1 queries, B keeps a list of tuples-h 1, a tuple of the form (a i, u. B does the following: If a i already appears in the H 1 list in the form (a i, u, then B responds with H 1 (a =u i Otherwise, B picks u i 2f, 1g k romly, adds a new tuple (a i, u into H 1 -list responds with H 1 (a =u i
7 Zhu et al. 7 Decryption key queries retrieval (i): B responds A 1 with sk i created in the Setup (i 6¼ t). Decryption queries (i, c : Suppose c i =(c i, 1, c i, 2, c i, 3 ). If i 6¼ t, B runs algorithm Decrypt with a valid c i sk i as inputs responds A 1 with the output Else B proceeds as follows: If each tuple (a i, u in H 1 -list, B computes: 1. M i = c i, 2 u i x i, 1 jjx i, 2 jjy i, 1 jjy i, 2 = c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ) 2. Using M i to generate P 1, P 2 as done in the algorithm Encrypt 3. Using the two points: P 1, P 2 to construct a straight line f i (x) 4. Test whether f i (x i, 1 )=y i, 1 f i (x i, 2 )=y i, 2 hold, if yes, then B returns M i to A 1 Else, it responds? to A 1. Authorization queries (i, ): For a Type a(a = 1, 2, 3) authorization: 1. For a = 1 with given i, B runs Auth 1 (sk ) by sk i responds A 1 with td i, 1 = x i (x i = sk ; 2. For a = 2 with given (i, c, B runs Auth 2 (sk i, c by sk i responds A 1 with td i, 2 = H 2 (c x i i, 1, c i, 1, c i, 2 ) (x i = sk ; 3. For a = 3 with given (i, c i, j, c j ), B runs Auth 3 (sk i, c i, c j ) by sk i, responds with the following td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c i, 1 c j, 1, c i =(c i, 1, c i, 2, c i, 3 ), c j =(c j, 1, c j, 2, c j, 3 ) 3. Challenge. Once A 1 decides that Phase 1 is over, B takes a message M t romly, which will be challenged, encrypts it to generate two points (x t, 1, y t, 1 ), (x t, 2, y t, 2 ), computes the challenge ciphertext c t =(c t, 1, c t, 2, c t, 3 ) as follows c t, 1 = gb c t, 2 = M H 1(g c ) c t, 3 =(x t, 1jjx t, 2 jjy t, 1 jjy t, 2 ) H 2 (c x t t, 1, c t, 1, c t, 2 ) Finally, it provides c t to A 1 as the challenge ciphertext. 4. Phase 2. A 1 issues more queries as in Phase 1. But there are two conditions as follows: During decryption key queries retrieval, i 6¼ t holds; During decryption queries process, (t, c t )is not allowed. 5. Guess. A 1 outputs a guess Mt 2M.IfMt = M t holds, B outputs 1 meaning g ab = g c, otherwise. c is a valid ciphertext for challenging information, when g ab = g c. Theorem 3. Our proposed scheme is IND-CCA secure based on DDH assumption in the rom oracle model for Type a(a = 1, 2, 3) authorization against Type II adversary. Proof. Suppose that A 2 is the Type II adversary breaking the encryption scheme. We build an algorithm B that solves the DDH problem in G by simulating an attack environment against such an adversary. Algorithm B is given a four-tuple (g, g a, g b, g c ) 2 G 4, his target is to test whether or not g ab = g c holds. During the course of the interaction, B records answers it makes in response to all queries, additionally maintains a separate watch lists for H 1. Let A 2 chooses t as his target at the beginning of the game. 1. Setup. B generates system parameter sp =(G, g, H 1, H 2, H 3, H 4, H 5, H 6 ) while considering a security parameter k as in the Setup provides sp to A 2, where H 1 is rom oracles controlled by B. Subsequently, B generates n public/private key pairs (pk i, sk (1 i n) by invoking algorithm KeyGen provides all pk i =(X i = g x i, Y i = g y i ) to A 1 (if i = t, pk t =(X t = g x t, Y t = g a )) keeps the sk i =(x i, y (if i = t then sk t =(x t ), it does not know sk t corresponding to Y t ) as secret, where x i, y i, x t 2 Zq. 2. Phase 1. A 2 may issue queries to all rom oracles for polynomial number of times. The constraint is that t does not appear in the decryption key to retrieve queries: H i -query: Responding to A 2 queries, B keeps a list of tuples-h 1, a tuple of the form (a i, u. Responding to query a i, B does the following:
8 8 International Journal of Distributed Sensor Networks If a i already appears in the H 1 list in the form (a i, u, then B responds with H 1 (a =u i Otherwise, B picks u i 2f, 1g k romly, adds a new tuple (a i, u into H 1 -list responds with H 1 (a =u i Decryption key queries retrieval (i): B responds A 2 with sk i created in the Setup (i 6¼ t). Decryption queries (i, c : Suppose c i =(c i, 1, c i, 2, c i, 3 ). If i 6¼ t, B runs algorithm Decrypt with a valid c i sk i as inputs, responds A 1 with the output. Else B proceeds as follows. If each tuple (a i, u in H 1 -list, B computes: 1. M i = c i, 2 u i x i, 1 kx i, 2 k y i, 1 ky i, 2 k = c i, 3 H 2 (c x i i, 1, c i, 1, c i, 2 ); 2. Uses M i to generate P 1, P 2 as done in the algorithm Encrypt; 3. Constructs f i (x) with two points P 1, P 2 ; 4. Tests whether f i (x i, 1 )=y i, 1 f i (x i, 2 )=y i, 2 hold, if yes, then b returns M i to A 2. Else, it responds? to A 2. Authorization queries (i, ): For a Type a(a = 1, 2, 3) authorization: 1. In Type 1 authorization, with given i, B runs Auth 1 (sk bysk i responds A 2 with td i, 1 = x i (x i = sk ; 2. In Type 2 authorization, given (i, c, B runs Auth 2 (sk i, c with sk i responds A 2 with td i, 2 = H 2 (c x i i, 1, c i, 1, c i, 2 )(x i = sk ; 3. In Type 3 authorization, given (i, c i, j, c j ), B runs Auth 3 (sk i, c i, c j ) with sk i responds as follows td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 )Š 2l 1, Z y i, 1 i, Z y i, 2 where Z i = c i, 1 c j, 1, c i =(c i, 1, c i, 2, c i, 3 ), c j = :3(c j, 1, c j, 2, c j, 3 ). 3. Challenge. Once A 2 decides that Phase 1 is over, it provides two messages M, M 1 2f, 1g k romly to B. B chooses a rom bit b 2f, 1g, then runs Encrypt to generate two points (x b, 1, y b, 1 ), (x b, 2, y b, 2 ) outputs the challenge ciphertext c t =(c t, 1, c t, 2, c t, 3 ) as follows c t, 1 = gb c t, 2 = M b H 1 (g c ) c t, 3 =(x b, 1jjx b, 2 jjy b, 1 jjy b, 2 ) H 2 (c x t t, 1, c t, 1, c t, 2 ) Finally, it provides c t to A 1 as the challenge ciphertext. 4. Phase 2. A 2 issues more queries as in Phase 1. However, it requires the following: During decryption key queries retrieval, i 6¼ t holds; During decryption queries phase, (t, c t )is not allowed. For a Type a(a = 1, 2, 3) authorization queries: 1. In Type 1 authorization queries, i = t is not allowed; 2. In Type 2 authorization queries, (t, c t ) is not allowed; 3. In Type 3 authorization queries, (t, c t,) is not allowed; 5. Guess. A 2 outputs a guess b.ifb = b, B outputs 1 meaning g ab = g c, otherwise it outputs. When g ab = g c, c is a valid ciphertext for challenging information. Authorization security In this section, we analyze the security of authorization. In Type 4 authorization, the authorized party has td (4, i, c = Aut 2 (sk i, c =H 2 (c x i i, 1, c i, 1, c i, 2 ) td (4, j) = Aut 1 (sk j )=x j. He cannot get the sk i = x i, which is used by the user. Therefore, adversary cannot get Type 1 authorization. In Type 3 authorization, the authorized party has the followings td (3, i, ci, j, c j ) =(z i, V i, 1, V i, 2 ) =(½H 2 (c x i i, 1, c i, 1, c i, 2 Š 2l 1, Z y i, 1 i, Z y i, 2 td (3, j, cj, i, c =(z j, V j, 1, V j, 2 ) =(½H 2 (c x j j, 1, c j, 1, c j, 2 Š 2l 1, Z y j, 1 j, Z y j, 2 j ) where Z i = c j, 1 c i, 1, Z j = c i, 1 c j, 1, adversary cannot get (y i, 1, y i, 2, y j, 1, y j, 2, x i, x j ) without M. Thus, adversary cannot get Type 4 authorization, Type 2 authorization, Type 1 authorization. In Type 2 authorization, the authorized party has td (2, i, c = H 2 (c x i i, 1, c i, 1, c i, 2 ). Adversary cannot get (x i, x j ). Therefore, it cannot get Type 4 authorization Type 1 authorization.
9 Zhu et al. 9 Table 1. The comparison of computational complexity. C Enc C Dec Auth Test Type 1 Type 2 Type 3 Type 4 Type 1 Type 2 Type 3 Type 4 Ma et al. 17 6E 5E 2E 2E + 2P 1E 2E + 2P 2E + 2P 2E + 2P + 2I 2E + 2P Lin et al. 18 4E + 3I 3E + 3I 1E 4E 1E 2E+ 6I 6I 6E + 6I 1E + 6I Our scheme 3E + 1I 2E + 1I 1E 3E 1E 2E+ 2I 2I 4E + 4I 1E + 2I C Enc, C Dec, Auth Test: the computation complexity of algorithms for encryption, decryption, Type-a of authorization, Type-a of test; E, P I: the exponentiation operation, the pairing operation, the inversion operation in the group G. Table 2. The comparison of storage space. Performances analysis pk sk C len Lin et al. 18 2logq(Bit) 2logq(Bit) 8logq(Bit) Our scheme 2logq(Bit) 2logq(Bit) 6logq(Bit) pk, sk, C len : the bit size of public key, secret key, ciphertext; logq: the bit length of the public key, the secret key, the ciphertext. In this section, we discuss the efficiency of our scheme. According to the experimental results in previous studies, a bilinear pairing costs about five times than an exponentiation. Computational complexity in modular exponentiation is higher than in modular inverse. We provide an efficiency comparison with the papers by Ma et al. 17 Lin et al. 18 in Table 1, the storage space comparison with Lin et al. 18 in Table 2, a brief comparison with others in Table 3. In Table 1, we compare the presented scheme with the scheme in Ma et al. 17 Lin et al. 18 with respect to the computation complexity of Encrypt (C Enc ), Decrypt (C Dec ) (from the second to the third columns), four types of Authorization (Auth) (from the fourth to the seventh columns) four types of Test (from the 8th to the 11th columns). In Table 2, we compare the storage space with Lin et al., 18 in terms of the sizes of pk, sk, C len (from the second to the forth columns). In Table 3, we present a comparison with the earlier PKEwET schemes while considering the computation complexity in encryption, decryption (from the second to the third columns). It is quite clear from the tables that our scheme requires smaller ciphertext storage compared to the previous study by Lin et al. 18 Computational cost is less when compared to the previous studies by Ma et al. 17 Lin et al. 18 in case of Encrypt, Decrypt, four types of Authorizations, four types of Tests. Thus, our presented scheme is more efficient. From Table 3, it can be observed that our scheme is more efficient than that of Tang in encryption. As a whole, our scheme supports much more flexible authorization is more efficient, compared to Table 3. The comparison of computational complexity with others. previous studies ,17,18 Thus, we remark that our scheme is more practical for the age of big data. Conclusion C Enc C Dec Tang 13,14 4E 2E Tang 15 5E 2E Ma 16 6E + 2P 2E + 2P + 1I Our scheme 3E + 1I 2E + 1I C Enc C Dec : the computation complexity of algorithms for encryption decryption; E, P I: the exponentiation operation, the pairing operation, the inversion operation in the group G. In this article, we present an improved PKEwET-FA scheme. We prove that our scheme is more flexible more practical comparing with previous works. For the Encrypt, Decrypt, Test algorithms, we use a straight line instead of the quadratic curve. Finally, we conclude that the presented scheme achieves lower computational complexity smaller storage space under the same level of security. Declaration of conflicting interests The author(s) declared no potential conflicts of interest with respect to the research, authorship, /or publication of this article. Funding The author(s) disclosed receipt of the following financial support for the research, authorship, /or publication of this article: This work was supported by the National Natural Science Foundation of China (NSFC) (Nos , ). References 1. Boneh D, Crescenzo GD, Ostrovsky R, et al. Public key encryption with keyword search In: Cachin C
10 1 International Journal of Distributed Sensor Networks Camenisch JL (eds) Advances in cryptology EURO- CRYPT 24, vol Heidelberg: Springer, 24, p.56c Abdalla M, Bellare M, Catalano D, et al. Searchable encryption revisited: consistency properties, relation to anonymous IBE, extensions. In: Shoup V (ed.) Annual international cryptology conference CRYPTO 25 (Lecture notes in computer science), vol Berlin, Heidelberg: Springer, 25, pp Liu C, Zhu L, Wang M, et al. Search pattern leakage in searchable encryption: attacks new construction. Inform Sciences 214; 265: 76C Byun JW, Rhee HS, Park HA, et al. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker W Petković M (eds) Secure data management. Berlin, Heidelberg: Springer, 26, pp Cao N, Wang C, Li M et al. Privacy-preserving multikeyword ranked search over encrypted cloud data. IEEE T Parall Distr 214; 25(1): Fang L, Susilo W, Ge C, et al. Public key encryption with keyword search secure against keyword guessing attacks without rom oracle. Inform Sciences 213; 238: Hofheinz D Weinreb E. Searchable encryption with decryption in the stard model cryptology eprint archive (Report 28/423), 28, 8. Nishioka M. Perfect keyword privacy in PEKS systems. In: Nishioka M (ed.) Provable security. Berlin, Heidelberg: Springer, 212, pp Bellare AB ONeill A. Deterministic efficiently searchable encryption. In: Menezes A (ed.) Advances in cryptology CRYPTO 27 (Lecture notes in computer science), vol Heidelberg: Springer, 27, p Bellare M, Fischlin M, ONeill A, et al. Deterministic encryption: definitional equivalences constructions without rom oracles. In: Wagner D (ed.) Advances in cryptology (Lecture notes in computer science), vol Berlin: Springer, 28, pp Boldyreva SF ONeill A. On notions of security for deterministic encryption, efficient constructions without rom oracles. In: Proceedings of the annual international cryptology conference, Santa Barbara, CA, August 28, pp Berlin: Springer. 12. Yang G, Tan CH, Huang Q, et al. Probabilistic public key encryption with equality test. In: Pieprzyk J (ed.) Cryptographers track at the RSA conference. Berlin, Heidelberg: Springer, 21, pp Tang Q. Towards public key encryption scheme supporting equality test with fine-grained authorization. In: Proceedings of the 16th Australasian conference on information security privacy, Melbourne, VIC, Australia, July 211, vol. 6812, p.389c46. New York: ACM. 14. Tang Q. Public key encryption schemes supporting equality test with authorisation of different granularity. Int J Appl Cryptograp 212; 2(4): 34C Tang Q. Public key encryption supporting plaintext equality test user-specified authorization. Secure Commun Netw 212; 5(12): 1351C Ma S. Identity-based encryption with outsourced equality test in cloud computing. Inform Sciences 216; 328: Ma S, Huang Q, Zhang M, et al. Efficient public key encryption with equality test supporting flexible authorization. IEEE T Inf Foren Sec 215; 1(3): Lin XJ, Qu H Zhang X. Public key encryption supporting equality test flexible authorization without bilinear pairings IACR cryptology eprint archive, 216, Lynn B. Pairing based cryptography-benchmarks, crypto.stanford.edu/pbc/times.html, Lauter K. The advantages of elliptic curve cryptography for wireless security. IEEE T Wirel Commun 24; 11(1): Yoshitomi M, Takagi T, Kiyomoto S, et al. Efficient implementation of the pairing on mobile phones using BREW. IEICE T Inf Syst 28; 6434:
Public Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationPerfect Keyword Privacy in PEKS Systems
Perfect Keyword Privacy in PEKS Systems Mototsugu Nishioka HITACHI, Ltd., Yokohama Research Laboratory, Japan mototsugu.nishioka.rc@hitachi.com Abstract. This paper presents a new security notion, called
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationNew Framework for Secure Server-Designation Public Key Encryption with Keyword Search
New Framework for Secure Server-Designation Public Key Encryption with Keyword Search Xi-Jun Lin,Lin Sun and Haipeng Qu April 1, 2016 Abstract: Recently, a new framework, called secure server-designation
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationThreshold broadcast encryption with keyword search
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Threshold broadcast encryption with keyword
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationLossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems
Lossy Trapdoor Functions from Smooth Homomorphic Hash Proof Systems Brett Hemenway UCLA bretth@mathuclaedu Rafail Ostrovsky UCLA rafail@csuclaedu January 9, 2010 Abstract In STOC 08, Peikert and Waters
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationResearch Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman Problem and Its Extension
e Scientific World Journal, Article ID 345686, 4 pages http://dx.doi.org/10.1155/2014/345686 Research Article On the Security of a Novel Probabilistic Signature Based on Bilinear Square Diffie-Hellman
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More informationFrequency-hiding Dependency-preserving Encryption for Outsourced Databases
Frequency-hiding Dependency-preserving Encryption for Outsourced Databases ICDE 17 Boxiang Dong 1 Wendy Wang 2 1 Montclair State University Montclair, NJ 2 Stevens Institute of Technology Hoboken, NJ April
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh 1 Giovanni Di Crescenzo 2 Rafail Ostrovsky 3 Giuseppe Persiano 4 1 Stanford University. dabo@cs.stanford.edu 2 Telcordia. giovanni@research.telcordia.com
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes
Lecture 30: Hybrid Encryption and Prime Number Generation Recall: ElGamal Encryption I We begin by recalling the ElGamal Public-key Encryption Recall that to describe a private-key encryption scheme we
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationEfficient Password-based Authenticated Key Exchange without Public Information
An extended abstract of this paper appears in ESORICS 2007, J. Biskup and J. Lopez (Eds.), volume 4734 of LNCS, pp. 299-310, Sringer-Verlag, 2007. Efficient Password-based Authenticated Key Exchange without
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationMasao KASAHARA. Graduate School of Osaka Gakuin University
Abstract Construction of New Classes of Knapsack Type Public Key Cryptosystem Using Uniform Secret Sequence, K(II)ΣΠPKC, Constructed Based on Maximum Length Code Masao KASAHARA Graduate School of Osaka
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationChosen-Ciphertext Secure RSA-type Cryptosystems
Published in J. Pieprzyk and F. Zhang, Eds, Provable Security (ProvSec 2009), vol 5848 of Lecture Notes in Computer Science, pp. 32 46, Springer, 2009. Chosen-Ciphertext Secure RSA-type Cryptosystems Benoît
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationRange Queries on Two Column Data
07 IEEE Second International Conference on Data Science in Cyberspace Range Queries on Two Column Data Ce Yang, Weiming Zhang and Nenghai Yu CAS Key Laboratory of Electro-magnetic Space Information University
More information