Arbitrary-State Attribute-Based Encryption with Dynamic Membership
|
|
- Rudolf Stephens
- 6 years ago
- Views:
Transcription
1 1/ 34 Arbitrary-State Attribute-Based Encryption with Dynamic Membership Speaker: Chun-I Fan Chun-I Fan, National Sun Yat-sen University, Kaohsiung Vincent Shi-Ming Huang, Industry Technology Research Institute, Hsinchu He-Ming Rung, National Taiwan University, Taipei IEEE Transactions on Computers, 2014
2 2/ 34 Outline 1 Introduction 2 Preliminaries 3 The Proposed Scheme 4 Security Proof 5 Comparisons 6 Conclusions
3 3/ 34 Public Key Infrastructure (PKI) Traditional PKI has some features: A sender should get the public key (or the identity) of the receiver in advance. The more receivers the system has, the more bandwidth it consumes. Broadcast encryption may be able to solve the problem of performance, but the sender needs to have the receiver list.
4 4/ 34 Attribute-Based Encryption (ABE) In 1993, Fiat, and Naor proposed a broadcast encryption system. In 2001, Boneh and Franklin proposed an identity-based encryption (IBE) scheme based on Weil pairing, and enhanced it by the technique from Fujisaki and Okamoto. In 2005, Sahai and Waters proposed a new type of IBE, fuzzy IBE, which was the prototype of ABE. In 2007, Baek, Susilo, and Zhou presented another fuzzy IBE with new construction.
5 Our Contribution A"melancholia"pa-ent Melancholia"Experiences He"wants"to"share"the"experiences" of"struggling"against"melancholia"on"a"pla7orm with"doctors or"any"forum with"other" male"pa-ents A9ribute:" (( Gender:"MALE "AND" MENTAL"DISORDER:"MELANCHOLIA )"" OR"( CAREER:"DOCTOR "AND" SPECIALITY:"MELANCHOLIA )) 5/ 34 Our scheme is the first one which supports dynamic membership and arbitrary-state attributes. It is CCA secure under a standard model (without using random oracles).
6 6/ 34 Dynamic Membership Expandability. A new user is able to enroll in the system. Renewability. Each user s private key, attribute set, and attribute values can be renewed and the old private keys should be useless to those ciphertexts which are encrypted after these parameters associated with the user are renewed. Revocability. A user s private key can be revoked and the revoked private keys should be useless to those ciphertexts which are encrypted after these private keys are revoked. Independence. When a user s leaving or attribute updating occurs, the other users are not required to interact with KGC (Key Generation Center) to renew their private keys.
7 7/ 34 Backgrounds Lagrange Interpolation Lagrange interpolating polynomial is a polynomial p of degree not greater than (n 1) that passes through n points (x i,y 1 ),...,(x n,y n ), and is given by p(x) = nx p j (x), wherep j (x) =y j j=1 Y k=i,...,n,k6=j x x k. x j x k For i 2 Z and S Z, the Lagrange coe cient i,s(x) is defined as i,s(x) = Y 8j2S,j6=i x i j j
8 8/ 34 Backgrounds Bilinear Mapping Let G 0, G 1,andG T be three cyclic groups of prime order q. A bilinear mapping e : G 0 G 1! G T satisfies the following properties: Bilinearity: e(ap, bq) =e(p, Q) ab, 8P 2 G 0, Q 2 G 1 and a, b 2 Z q. Non-Degeneracy: The mapping does not map all pairs in G 0 G 1 to the identity in G T. Computability: There is an e e(p, Q), 8P 2 G 0,Q2 G 1. cient algorithm to compute
9 9/ 34 Backgrounds Decisional Bilinear Di e-hellman Problem Let G 0,G 1,andG T be three cyclic groups of prime order q, P and Q be arbitrarily-chosen generators of G 0 and G 1,respectively,and e : G 0 G 1! G T be a bilinear mapping. Given (P, Q, ap, bp, cp, aq, bq, cq, Z) for some a, b, c 2 Z q and Z 2 R {e(p, Q) abc,y 2 R G T }, decide if Z = e(p, Q) abc.
10 10/ 34 Definitions Definition 1 (The DBDH Assumption) We define that an adversary C with an output b 0 2{0, 1} has advantage 0 in solving the DBDH problem if Pr[C(P, Q, ap, bp, cp, aq, bq, cq, e(p, Q) abc ) = 1] Pr[C(P, Q, ap, bp, cp, aq, bq, cq, Z) = 1] 0 where the probability is over the random choice of a, b, c 2 Z q and the random choice Z 2{e(P, Q) abc,y 2 R G T }.
11 11/ 34 An Access Tree
12 12/ 34 The Proposed Scheme Overview: Enrollment, Encryption, Decryption
13 13/ 34 The Proposed Scheme Overview: Leaving, Updating
14 14/ 34 The Proposed Scheme Setup(k) Step 1: G 0, G 1, G T with prime order q, e : G 0 G 1! G T, generator P of G 0, generator Q of G 1 Step 2:, 2 R Z q and H : {0, 1}! Z q. Step 3: Generate two default users: 1 U = {0, 1}, {v i,j } 8i2U,j2A 2 R Z q, {t i } 8i2U 2 R Z q. 2 ( {Vj = ( Q 8i2U v i,j)q} 8j2A Q {v i,j = t i 8k6=i,k2U v 1 k,j + v i,j mod q} 8i2U,8j2A. Step 4: Public parameter PK =(G 0, G 1, G T, e, H, P, Q, U = e(p, Q) ( 1), e(p, Q), {V j, {v i,j } 8i2U } 8j2A, V) The master key of KGC is MK = Q. The asymmetric setting of e can be implemented by BN-Curve which is with faster software implementations.
15 The Proposed Scheme Enrollment(A i, (m i,j) 8j2Ai,MK) 15/ 34 Step 1: r i, t i, {v i,j } 8j2A, {r i,j } 8j2Ai 2 R Z q Step 2: U = U[{i} Step 3: 8 >< >: {h i,j = H(m i,j )} 8j2Ai {V j = v i,j V j } 8j2A {v i,j = t i Q 8k6=i,k2U v 1 k,j + v i,j mod q} 8j2A {v k,j =(v k,j v k,j )v 1 i,j + v k,j mod q} 8k6=i,k2U,8j2A Step 4: Generate user i s private key D i = 8 D i = Q + t i r i Q >< {D i,j = vi,j 1 (r ip + r i,j h i,j P )} 8j2Ai {D >: i,j 0 = t ir i,j P } 8j2Ai {Di,j 00 = r ip + r i,j h i,j P } 8j2Ai Step 5: Increase V and update ({V j, {v i,j } 8i2U } 8j2A, V) in PK.
16 16/ 34 The Proposed Scheme Leaving(u) KGC increases V and updates PK as follows: {Vj = v 1 u,j V j} 8j2A {v k,j =(v k,j v k,j )v u,j + v k,j mod q} 8k6=u,k2U,8j2A Finally, it sets U = U\{u} and deletes {v u,j } 8j2A in PK.
17 17/ 34 The Proposed Scheme Updating(m 0 i,j) Step 1: vi,j 0, r0 i, r0 i,j 2 R Z q Step 2: h 0 i,j = H(m0 i,j ) Step 3: Give 8 >< >: D i = Q + t i ri 0Q D i,j = vi,j 0 1 (r0 i P + r0 i,j h0 i,j P ) {D i,k = v 1 i,k (r0 i P + r i,kh i,k P )} 8k2Ai \{j} D 0 i,j = t ir 0 i,j P D 00 i,j = r0 i P + r0 i,j h0 i,j P {D 00 i,k = r0 i P + r i,kh i,k P )} 8k2Ai \{j} to user i. Step 4: Increase V and update PK. 8 < : V j = vi,j 1 v0 i,j V j v i,j =(v i,j v i,j )+vi,j 0 mod q v k,j =(v k,j v k,j )v i,j vi,j v k,j mod q, 8k 2U\{i}
18 18/ 34 The Proposed Scheme Encryption(T,M,PK) Access tree structure construction. For the root node R: 1 s 2 R Z q and k R is the threshold value of R. 2 Randomly choose a polynomial q R of degree d R = k R 1 with q R (0) = s. 3 Assign a unique index number x for each child of R. For each internal node N other than R: 1 k N is the threshold value of N. 2 Randomly choose a polynomial q N of degree d N = k N 1 with q N (0) = q parent(n) (index(n)). 3 Assign a unique index number x for each child of node N. For each leaf node N L : Randomly choose a polynomial q NL of degree 0 with q NL (0) = q parent(nl )(index(n L )).
19 19/ 34 The Proposed Scheme Encryption Ciphertext generation: K 2 R G T and N L = {the leaves of T}. The ciphertext is CT = (T, C = e(p, Q) s K, C = sp, C 0 = U s, M = E K (M),C r = H(K M)P, {C N = q N (0)V att(n),cn 0 = q N(0)H(val(N))Q, {v i,att(n) } 8i2U } 8N2NL, V). {{v i,att(n) } 8i2U } 8N2NL can be excluded from the ciphertext.
20 20/ 34 The Proposed Scheme Decryption(CT,D i) DecryptNode(CT,D i,n): LetV j = v j P. If N is a leaf node: Let j = att(n). If j is in A i and m i,j = val(n), then DecryptNode(CT,D i,n) = e(d i,j,v i,j C N ) e(d 0 i,j,c0 N )e(d00 i,j,c N ) = e(v 1 i,j (r ip +r i,j h i,j P ),(t i v 1 j v i,j +v i,j )q N (0)v j Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(v 1 i,j (r ip +r i,j h i,j P ),t i v i,j q N (0)Q+v i,j v j q N (0)Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(r ip +r i,j h i,j P,t i q N (0)Q)e(r i P +r i,j h i,j P,v j q N (0)Q) e(t i r i,j P,q N (0)h i,j Q)e(r i P +r i,j h i,j P,v j q N (0)Q) = e(r ip,t i q N (0)Q)e(r i,j h i,j P,t i q N (0)Q) e(t i r i,j P,q N (0)h i,j Q) = e(p, Q) t ir i q N (0). Otherwise, DecryptNode(CT,D i,n)=?.
21 21/ 34 The Proposed Scheme Decryption If N is an internal node: 1 For each child N c of N, F Nc = DecryptNode(CT,D i,n c ). 2 Let I c be a k N -sized set containing the indexes of the child nodes N c s such that F Nc 6=? for each N c.return F N = Q 8index(N c)=z2i c F z,ic (0) N c = Q 8index(N c)=z2i c (e(p, Q) tiriq Nc (0) ) = Q 8index(N c)=z2i c (e(p, Q) tiriqparent(nc)(z) ) = Q 8index(N c)=z2i c (e(p, Q) tiriq N (z) z,ic (0) ) = e(p, Q) tiriq N (0) z,ic (0) z,ic (0). 3 If no such set exists, N is not satisfied and return F N =?.
22 22/ 34 The Proposed Scheme Decryption Call DecryptNode(CT,D i,r): A = DecryptNode(CT,D i,r) = e(p, Q) t ir i q R (0) = e(p, Q) t ir i s Compute the session key K: A C e(c,d i ) C 0 = e(p,q) t i r i s e(p,q) s K e(sp,( +t i r i )Q) e(p,q) ( 1)s = e(p,q) s e(p,q) t i r i s K e(p,q) ( s+ ( 1)s+t i r i s) = e(p,q) s+t i r i s K e(p,q) s+t i r i s = K The decryption procedure will return? if C r 6= H(K M)P. Otherwise, it returns M by computing M = D K (M).
23 23/ 34 Dynamic Membership The Enrollment algorithm: 1 Expandability The Leaving and Updating algorithms: 1 Revocability 2 Renewability 3 Independence
24 24/ 34 Security Proof Theorem The proposed CP-ABE-DM scheme is CCA DM secure under the DBDH assumption in a standard model.
25 25/ 34 Security Proof The CCA DM Game
26 Security Proof The Cipher Algorithm 26/ 34 Initially, C calls Cipher(T,R,cQ).
27 27/ 34 Comparisons Dynamic Membership: It allows an ABE system to manage member enrollment, attribute updating, and member revocation e ciently. Sender Updating: A sender must grab the newest public information before she/he encrypts a message. Receiver Updating: Areceivermustinteractwiththesystem to refresh her/his private key or retrieve the newest public information before she/he decrypts a ciphertext. No Private Key Refreshment: Members do not have to interact with the system to refresh their private keys when the membership or any of the members attributes has been changed. Arbitrary-State Attribute: The domain of each attribute is a variable-length string, not a binary bit only.
28 28/ 34 Feature Comparisons Dynamic Membership Scheme Updating Leaving ASA Special Feature Ours Yes Yes Yes No Private Key Refreshment [4] No No Yes Direct and Indirect Revocation [5] No Yes No Multi-Authority [12] No No No Dual Policy [13] No No No Multi-Authority [15] No No No Multi-Authority [7] No No No Full Logic Expression [8] No No No Key Delegation [9] No No No Multi-Authority [10] No No No -
29 29/ 34 Feature Comparisons Dynamic Membership Scheme Updating Leaving ASA Special Feature Ours Yes Yes Yes No Private Key Refreshment [11] No No No - [14] No No No - [25] No No No Full Logic Expression [26] No No No [27] No No No Multi-Authority [28] No No No Multi-Authority [29] No No No Attribute Hierarchy [30] No No Yes Unbounded Attribute [31] No No No Constant Ciphertext Size [32] No No No Multi-Authority [33] No Yes No - ASA: Arbitrary-State Attribute
30 30/ 34 Notations for Performance Comparisons Notation Meaning n the number of the members in an ABE system m the number of the attributes provided in an ABE system m c the number of attributes associated to a ciphertext m d the maximum of Cover(R) where R is the set of revoked users and m d <m m u the number of a user s attributes m a the number of authorities m or the number of OR gates of the access rule associated to aciphertext m and the number of the AND conjunction attributes of the access rule associated to a ciphertext m not the number of the NOT conjunction attributes of the access rule associated to a ciphertext DR, IR Direct Mode and Indirect Mode SA, OA Subject Attribute and Objected Attribute
31 31/ 34 Performance Comparisons: Computation Cost
32 32/ 34 Performance Comparisons: Storage and Communication Cost
33 33/ 34 Conclusions An attribute-based encryption scheme with dynamic membership has been proposed. This is the first ABE scheme which can support arbitrary-state attributes and attribute (and value) updating with Sender Updating only. It has been formally proved to be CCA secure under a standard model.
34 Q&A 34/ 34
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationMulti-key Hierarchical Identity-Based Signatures
Multi-key Hierarchical Identity-Based Signatures Hoon Wei Lim Nanyang Technological University 9 June 2010 Outline 1 Introduction 2 Preliminaries 3 Multi-key HIBS 4 Security Analysis 5 Discussion 6 Open
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationT Advanced Course in Cryptology. March 28 th, ID-based authentication frameworks and primitives. Mikko Kiviharju
March 28 th, 2006 ID-based authentication frameworks and primitives Helsinki University of Technology mkivihar@cc.hut.fi 1 Overview Motivation History and introduction of IB schemes Mathematical basis
More informationNew Framework for Secure Server-Designation Public Key Encryption with Keyword Search
New Framework for Secure Server-Designation Public Key Encryption with Keyword Search Xi-Jun Lin,Lin Sun and Haipeng Qu April 1, 2016 Abstract: Recently, a new framework, called secure server-designation
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationOn (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)
On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique) Sanjit Chatterjee and Palash Sarkar Applied Statistics Unit
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationPublic-Key Cryptography. Public-Key Certificates. Public-Key Certificates: Use
Public-Key Cryptography Tutorial on Dr. Associate Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur http://cse.iitkgp.ac.in/ abhij/ January 30, 2017 Short
More informationAttribute-Based Encryption Optimized for Cloud Computing
ttribute-based Encryption Optimized for Cloud Computing Máté Horváth 27 January 1 / 17 Roadmap 1 Encryption in the Cloud 2 User Revocation 3 Background 4 The Proposed Scheme 5 Conclusion 2 / 17 Traditional
More informationNew Constructions of Revocable Identity-Based Encryption from Multilinear Maps
New Constructions of Revocable Identity-Based Encryption from Multilinear Maps Seunghwan Park Kwangsu Lee Dong Hoon Lee Abstract A revocation mechanism in cryptosystems for a large number of users is absolutely
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationPairing-Based Cryptographic Protocols : A Survey
Pairing-Based Cryptographic Protocols : A Survey Ratna Dutta, Rana Barua and Palash Sarkar Cryptology Research Group Stat-Math and Applied Statistics Unit 203, B. T. Road, Kolkata India 700108 e-mail :{ratna
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationarxiv: v1 [cs.cr] 24 Feb 2017
Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate
More informationDirectly Revocable Key-Policy Attribute- Based Encryption with Verifiable Ciphertext Delegation
Directly Revocable Key-Policy Attribute- Based Encryption with Verifiable Ciphertext Delegation Yanfeng Shi, Qingji Zheng, Jiqiang Liu, Zhen Han Beijing Jiaotong University Traditional Encrypted Filesystem
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationCiphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization
Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters University of Texas at Austin bwaters@csutexasedu Abstract We present a new methodology
More informationDynamic Key-Aggregate Cryptosystem on Elliptic Curves for Online Data Sharing
Dynamic Key-Aggregate Cryptosystem on Elliptic Curves for Online Data Sharing Sikhar Patranabis, Yash Shrivastava and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationSelf-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency
Self-Updatable Encryption: Time Constrained Access Control with Hidden Attributes and Better Efficiency Kwangsu Lee Seung Geol Choi Dong Hoon Lee Jong Hwan Park Moti Yung Abstract Revocation and key evolving
More informationPublic Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time Yi-Ru Liu, Wen-Guey Tzeng Department of Computer Science National Chiao Tung University Hsinchu, Taiwan 30050 Email:
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationA Survey of Broadcast Encryption
A Survey of Broadcast Encryption Jeremy Horwitz 13 January 2003 Abstract Broadcast encryption is the problem of a sending an encrypted message to a large user base such that the message can only be decrypted
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationBounded Ciphertext Policy Attribute Based Encryption
Bounded Ciphertext Policy Attribute Based Encryption Vipul Goyal Abhishek Jain Omkant Pandey Amit Sahai Department of Computer Science, UCLA {vipul,abhishek,omkant,sahai}@cs.ucla.edu Abstract In a ciphertext
More informationGeneric Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, Universit
Generic Constructions of Identity-Based and Certicateless KEMs K. Bentahar, P. Farshim, J. Malone-Lee and N.P. Smart Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland
More informationDelegation in Predicate Encryption Supporting Disjunctive Queries
Author manuscript, published in "Security and Privacy - Silver Linings in the Cloud Springer Ed. 2012 229-240" DOI : 10.1007/978-3-642-15257-3_21 Delegation in Predicate Encryption Supporting Disjunctive
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationConstructing Pairing-Friendly Elliptic Curves for Cryptography
Constructing Pairing-Friendly Elliptic Curves for Cryptography University of California, Berkeley, USA 2nd KIAS-KMS Summer Workshop on Cryptography Seoul, Korea 30 June 2007 Outline 1 Pairings in Cryptography
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAn Enhanced ID-based Deniable Authentication Protocol on Pairings
An Enhanced ID-based Deniable Authentication Protocol on Pairings Meng-Hui Lim*, Sanggon Lee**, Youngho Park***, Hoonjae Lee** *Department of Ubiquitous IT, Graduate school of Design & IT, Dongseo University,
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationRevocable Identity-Based Encryption from Lattices
Revocable Identity-Based Encryption from Lattices Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Khoa Nguyen Nanyang Technological University, Singapore s080001@e.ntu.edu.sg {hoonwei,lingsan,hxwang}@ntu.edu.sg
More informationRemove Key Escrow from The Identity-Based Encryption System
Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng, Richard Comley and Luminita Vasiu School of Computing Science, Middlesex University, White Hart Lane, London N17 8HR, UK. {m.z.cheng,r.comley,l.vasiu}@mdx.ac.uk
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationFixed Argument Pairings
craig.costello@qut.edu.au Queensland University of Technology LatinCrypt 2010 Puebla, Mexico Joint work with Douglas Stebila Pairings A mapping e : G 1 G 2 G T : P G 1, Q G 2 and e(p, Q) G T : groups are
More informationContribution to functional encryption through encodings
University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2016 Contribution to functional encryption through encodings Jongkil
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationRelations Among Notions of Security for Public-Key Encryption Schemes. Debdeep Mukhopadhyay IIT Kharagpur. Notions
Relations Among Notions of Security for Public-Key Encryption Schemes Debdeep Muhopadhyay IIT Kharagpur Notions To organize the definitions of secure encryptions Classified depending on: security goals:
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationThreshold broadcast encryption with keyword search
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Threshold broadcast encryption with keyword
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationMontgomery Algorithm for Modular Multiplication with Systolic Architecture
Montgomery Algorithm for Modular Multiplication with ystolic Architecture MRABET Amine LIAD Paris 8 ENIT-TUNI EL MANAR University A - MP - Gardanne PAE 016 1 Plan 1 Introduction for pairing Montgomery
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationPermutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1
Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1 Kwangsu Lee A Thesis for the Degree of Master of Science Division of Computer Science, Department
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationFoundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE
Foundations P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE NP problems: IF, DL, Knapsack Hardness of these problems implies the security of cryptosytems? 2 Relations of
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More information