Public Key Encryption with Conjunctive Field Keyword Search
|
|
- Crystal Flynn
- 5 years ago
- Views:
Transcription
1 Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004
2 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed Scheme 2 5 Comparision 6 Conclusion
3 Public Key Encryption with Keyword Search Encrypted message [E Apub [M], PEKS(A pub, (W 1 )),..., PEKS(A pub, (W m ))] PEKS (Public key Encryption with Keyword Search) Should not reveal any information about M. Enable searching for a specific keyword. D. Boneh, G. Di Crescenzo, R. Ostrovsky and G. Persiano, Public key encryption with keyword search, EUROCRYPT 2004, LNCS 3027, pp , Springer-Verlag, 2004.
4 Public Key Encryption with Keyword Search - Examples gateway Environment: Bob sends encrypted to Alice using Alice s public key. Both the contents and the keywords are encrypted. Alice can make the gateway route with the keyword urgent to her pager (or PDA) without information leakage. server Environment: An server stores many s. Each contains a small number of keywords. All s are encrypted using Alice s public key. Alice can enable the server to retrieve s containing a keyword finance by giving a corresponding trapdoor without information leakage.
5 Conjunctive Keyword Search Ex.) Searching an urgent from Bob about finance. Two trivial solutions for conjunctive keyword search Set intersection Information leakage: Server can learn which document matches individual keyword. Meta keyword Huge storage requirement: A document that contains m keywords requires an additional 2 m meta keywords to allow for all possible conjunctive queries. First solution is proposed by Golle et al. (Too heavy) secret key system P. Golle, J. Staddon and B. Waters, Secure conjunctive keyword search over encrypted data, ACNS 2004, LNCS 3089, pp , Springer-Verlag, 2004.
6 Bilinear Map G 1 and G 2 : two groups of order q for some large prime q G 1 : an additive group. G 2 : a multiplicative group. A bilinear map ê : G 1 G 1 G 2 Bilinear: ê(au, bv ) = ê(u, V ) ab for all U, V G 1 and all a, b Z Non-degenerate: If P is a generator of G 1, then ê(p, P ) is a generator of G 2. Computable: There is an efficient algorithm to compute this map Implementation of bilinear map Weil pairing, Tate pairing
7 Model Encrypted message: [E Apub [M], PECK(A pub, (W 1, W 2,..., W m ))]. Assumptions: 1 All document has m keyword fields. 2 The same keyword never appears in two different keyword fields of the same document. Prepending the name of keyword field. Ex.) From:Bob, To:Alice, Subject:WISA Every keyword field is defined for every document. Assigning NULL value in an empty field. Ex.) Subject:NULL.
8 Model - Notations i-th document, D i = (W i,1, W i,2,..., W i,m ) m: the number of keyword fields. W i,j : the keyword in j-th field of the i-th document. A format of query for the conjunctive search, Q = (I 1, I 2,..., I t, Ω 1, Ω 2,..., Ω t ) t: the number of keywords in Q. I i [1, m]: position of a keyword in the keyword fields. Ω i : keywords to search. Trapdoor for Q, T Q = (T, I 1, I 2,..., I t )
9 Model - PECKS A Public Key Encryption with Conjunctive Keyword Search consists of 1 KeyGen(1 k ): Takes a security parameter, 1 k, and generates a public/private key pair A pub, A priv. 2 PECK(A pub, D): For a public key A pub and a document D, produces a conjunctive searchable encryption of D. 3 Trapdoor(A priv, Q): Given a private key A priv and a query Q, produces a trapdoor T Q. 4 Test(A pub, S, T Q ): Given a public key A pub, a conjunctive searchable encryption S = PECK(A pub, D), and a trapdoor T Q = Trapdoor(A priv, Q), outputs yes if {(W I1 = Ω 1 ), (W I2 = Ω 2 ),..., and (W It = Ω t )} and no otherwise.
10 Security Game ICC Indistinguishability of ciphertext from ciphertext (ICC): 1 The challenger runs the KeyGen(1 k ) algorithm to generate A pub and A priv. It gives A pub to the attacker. 2 The attacker can adaptively ask the challenger for the trapdoor T Q for any query Q of his choice. 3 At some point, the attacker A sends the challenger two documents D 0, D 1. The only restriction is that none of trapdoors asked previously in step 2 is distinguishing D 0 for D 1. The challenger picks a random b {0, 1} and gives the attacker PECK(A pub, D b ). 4 The attacker can continue to ask for trapdoor T Q for any query Q of his choice unless T Q can distinguish D 0 for D 1. 5 Eventually, the attacker A outputs b {0, 1} and wins the game if b = b.
11 Security Game ICC The attacker wins the game if he can correctly guess whether he was given the PECK for D 0 or D 1. We defined an attacker A s advantage as Adv A (1 k ) = P r[b = b ] 1 2. Definition A PECKS is semantically secure against an adaptive chosen keyword attack if for any polynomial time attacker its advantage is a negligible function.
12 Security Game ILCR - a Variant of ICC Indistinguishability of limited ciphertext from random (ILCR) Step 3 of ICC Attacker Challenger: D 0, D 1 Challenger Attacker: P ECK(A pub, D b ) Theorem Step 3 of ILCR Attacker Challenger: W, z W : A keyword z: The position of the keyword Challenger Attacker: P ECK(A pub, D b ), D 0, D 1 D 0: A random document with restriction that z-th word is W D 1: A random document If a scheme is secure according to the ILCR, then the scheme is secure according to the ICC.
13 Construction KeyGen(1 k ): (A pub, A priv ) H : {0, 1} G 1. A pub = [P, Y 1 = s 1 P, Y 2 = s 2 P ] and A priv = [s 1, s 2 ]. PECK(A pub, D): S = [A 1,..., A m, B, C] Select a random r Z p. S = [ ê(rh(w 1 ), Y 1 ),..., ê(rh(w m ), Y 1 ), ry 2, rp ]. Trapdoor(A priv, Q): T Q = [T 1, T 2, I 1,..., I t ] Select ( a random T 2 ) ( Z p. ) T 1 = mod p H(Ω 1 ) + + H(Ω t ). s 1 s 2+T 2 Test(A pub, S, T Q ): yes or no Check the equality, A I1 A It = ê(t 1, B + T 2 C). If so, output yes ; if not, output no.
14 Construction Parameters: H : {0, 1} G 1. A pub = [P, Y 1 = s 1 P, Y 2 = s 2 P ]. [A 1,..., A m, B, C] = [ê(rh(w1 ), Y 1 ),..., ê(rh(w m ), Y 1 ), ry 2, rp ]. T 1 = ( s1 s 2+T 2 ) ( ) mod p H(Ω 1 ) + + H(Ω t ). The equality of Test holds if W Ii = Ω i for 1 i t. A I1 A I2 A It = ê(r(h(w I1 ) + H(W I2 ) H(W It )), Y 1 ). = ê(s 1 (H(Ω 1 ) + H(Ω 2 ) H(Ω t )), rp ). = ê(t 1, B + T 2 C).
15 Security Proof Decision Bilinear Diffie-Hellman (DBDH) Problem To distinguish from (P, αp, βp, γp, ê(p, P ) αβγ ) (P, αp, βp, γp, R) where P, αp, βp, γp G 1 and α, β, γ Z p. Theorem The proposed scheme 1 is secure according to the game ILCR assuming DBDH is intractable.
16 Efficient Implementation - Pseudo-Compressed Pairing A pairing operation consists of Miller s algorithm Final exponentiation ê(u, V ) = (x + iy) (q2 1)/p = ((x + iy) (q 1) ) (q+1)/p (x + iy) is the output of the Miller s algorithm Define ˆε(U, V ) as (x + iy) (q 1) ê(u, V ) = ˆε(U, V ) (q+1)/p a + bi = ˆε(U, V ) b = ±((a 2 1) 1/2 )/i Pseudo-compressed pairing a s(a, b) s(a, b): a single bit that determines the sign of b
17 Efficient Implementation - Efficient Construction PECK(A pub, D): Select a random r Z p. Obtain hash values. Compute a i + b i i from ˆε(rH(W i ), Y 1 ). The PECK(A pub, D) is [ a1 s(a 1, b 1 ), a 2 s(a 2, b 2 ),..., a m s(a m, b m ), ry 2, rp ], Test(A pub, S, T Q ): Recompute a i + b i i s from A i s, Compute a T + b T i = ˆε(T 1, B + T 2 C). Check the equality, ( ) (q+1)/p (ai1 + b I1 i) (a I2 + b I2 i) (a It + b It i) = 1. (a T + b T i)
18 Admissible Encoding Function: MapToPoint Implementation of H : {0, 1} G 1. MapToPoint requires log 2 (q/p)-bit scalar multiplication in E(F q ). F q is the field on which G 1 is based. p is the size of group G 1 and G 2. Cost Embedding degree of pairing is 6 log 2 p log 2 q log 2 (q/p) A. Lenstra and E. R. Verheul, Selecting cryptographic key sizes, Journal of Cryptology, Vol. 14, No. 4, pp , Springer-Verlag, is the largest known embedding degree.
19 Construction KeyGen(1 k ): (A pub, A priv ) H 1 : {0, 1} {0, 1} log 2 p and H 2 : {0, 1} {0, 1} log 2 p. A pub = [P, Y 1 = s 1 P,..., Y m+2 = s m+2 P, g = ê(p, P )], A priv = [s 1,..., s m+2 ]. PECK(A pub, D): S = [A 1,..., A m, B 1,..., B m, C, D] Select random r 0, r 1,..., r m Z p. S = [ r 0 (Y 1 +H 1 (W 1 )P )+r 1 P,..., r 0 (Y m +H 1 (W m )P )+r m P, r 1 Y m+1,..., r m Y m+1, r 0 Y m+2, H 2 (g r0 ) ]. Trapdoor(A priv, Q): T Q = [T 1, T 2, T 3, I 1,..., I t ] Select a random T 3 Z p. T 1 = 1 s I1 + +s It +H 1(Ω 1)+ +H 1(Ω t)+s m+2t 3 P, T 2 = 1 s m+1 T 1, Test(A pub, S, T Q ): yes or no ( ) ê(ai1 + +A Check the equality, H It +T 3C,T 1) 2 ê(b I1 + +B It,T 2) = D. If so, output yes ; if not, output no.
20 Construction Parameters: A pub = [P, Y 1 = s 1 P,..., Y m+2 = s m+2 P, g = ê(p, P )]. A i = r 0 (Y i + H 1 (W i )P ) + r i P. B i = r i Y m+1, C = r 0 Y m+2, D = H 2 (g r0 ). 1 T 1 = s I1 + +s It +H 1(Ω 1)+ +H 1(Ω t)+s m+2t 3 P, T 2 = 1 s m+1 T 1. The equality of Test holds if W Ii = Ω i for 1 i t. ê(a I1 + + A It + T 3 C, T 1 ) ê(b I1 + + B It, T 2 ) = ê(a I A It + T 3 C, T 1 ) ê(r I1 P + + r It P, T 1 ) = ê(r 0 (Y I1 + H 1 (W I1 )P ) + + r 0 (Y It + H 1 (W It )P ) + T 3 C, T 1 ) = ê(r 0 P, P ) = ê(p, P ) r 0 H 2 (ê(p, P ) r 0 ) = D
21 Security Proof Decision Bilinear Diffie-Hellman Inversion (DBDHI) Problem To distinguish from where P G 1 and x Z p. (P, xp,..., x q P, ê(p, P ) 1/x ) (P, xp,..., x q P, R) Theorem The proposed scheme 2 is secure according to the game ILCR assuming DBDHI is intractable.
22 Comparison PECK Trapdoor Test Scheme 1 mp + (m + 2)M + ma 1M + ta 1P + 1M Scheme 2 (3m + 2)M 2M 2P + 1M BCOP1 mp + 2mM + ma 1M + 1A 1P GSW2 (2m + 1)M 3M 3P Schemes BCOP1: the first scheme (in Section 3) of Boneh et al. 1 keyword search m keywords in a document GSW2: the second scheme (in Section 4) of Golle et al. Secret key scheme Abbreviation P : Pairing operation M: Scalar multiplication (or modular exponentiation) A: Admissible encoding function
23 Conclusion We defined the security model for PECKS. We provided two efficient schemes Scheme 1 Quick search Techniques to reduce a burden of pairings Decision bilinear Diffie-Hellman problem Scheme 2 No MapToPoint No pairing operation in PECK Decision bilinear Diffie-Hellman inversion problem
Public Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh 1 Giovanni Di Crescenzo 2 Rafail Ostrovsky 3 Giuseppe Persiano 4 1 Stanford University. dabo@cs.stanford.edu 2 Telcordia. giovanni@research.telcordia.com
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationNew Framework for Secure Server-Designation Public Key Encryption with Keyword Search
New Framework for Secure Server-Designation Public Key Encryption with Keyword Search Xi-Jun Lin,Lin Sun and Haipeng Qu April 1, 2016 Abstract: Recently, a new framework, called secure server-designation
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationPairing-Based Cryptographic Protocols : A Survey
Pairing-Based Cryptographic Protocols : A Survey Ratna Dutta, Rana Barua and Palash Sarkar Cryptology Research Group Stat-Math and Applied Statistics Unit 203, B. T. Road, Kolkata India 700108 e-mail :{ratna
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationExpressive Search on Encrypted Data
Singapore Management University Institutional Knowledge at Singapore Management University Research Collection School Of Information Systems School of Information Systems 5-2013 Expressive Search on Encrypted
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationImproved ID-based Authenticated Group Key Agreement Secure Against Impersonation Attack by Insider
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationSecure Indexes* Eu-Jin Goh Stanford University 15 March 2004
Secure Indexes* Eu-Jin Goh Stanford University 15 March 2004 * Generalizes an early version of my paper How to search on encrypted data on eprint Cryptology Archive on 7 October 2003 Secure Indexes Data
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationPerfect Keyword Privacy in PEKS Systems
Perfect Keyword Privacy in PEKS Systems Mototsugu Nishioka HITACHI, Ltd., Yokohama Research Laboratory, Japan mototsugu.nishioka.rc@hitachi.com Abstract. This paper presents a new security notion, called
More informationPredicate Privacy in Encryption Systems
Predicate Privacy in Encryption Systems Emily Shen 1, Elaine Shi 2, and Brent Waters 3 1 MIT eshen@csail.mit.edu 2 CMU/PARC eshi@parc.com 3 UT Austin bwaters@cs.utexas.edu Abstract. Predicate encryption
More informationThreshold broadcast encryption with keyword search
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Threshold broadcast encryption with keyword
More information[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex
Exponent Group Signature Schemes and Ecient Identity Based Signature Schemes Based on Pairings F. Hess Dept. Computer Science, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationShort Signatures from the Weil Pairing
Short Signatures from the Weil Pairing Dan Boneh dabo@cs.stanford.edu Ben Lynn blynn@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We introduce a short signature scheme based on the Computational
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationA Dierential Power Analysis attack against the Miller's Algorithm
A Dierential Power Analysis attack against the Miller's Algorithm Nadia El Mrabet (1), G. Di Natale (2) and M.L. Flottes (2) (1) Team Arith, (2) Team CCSI/LIRMM, Université Montpellier 2 Prime 2009, UCC,
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationFoundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE
Foundations P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE NP problems: IF, DL, Knapsack Hardness of these problems implies the security of cryptosytems? 2 Relations of
More informationA NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION
Trends in Mathematics Information Center for Mathematical Sciences Volume 8, Number 1, June, 2005, Pages 119 131 A NEW ID-BASED SIGNATURE WITH BATCH VERIFICATION JUNG HEE CHEON 1, YONGDAE KIM 2 AND HYO
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationShort Signature Scheme From Bilinear Pairings
Sedat Akleylek, Barış Bülent Kırlar, Ömer Sever, and Zaliha Yüce Institute of Applied Mathematics, Middle East Technical University, Ankara, Turkey {akleylek,kirlar}@metu.edu.tr,severomer@yahoo.com,zyuce@stm.com.tr
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationPAIRING-BASED IDENTIFICATION SCHEMES
PAIRING-BASED IDENTIFICATION SCHEMES DAVID FREEMAN Abstract. We propose four different identification schemes that make use of bilinear pairings, and prove their security under certain computational assumptions.
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationA Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack
A Practical Elliptic Curve Public Key Encryption Scheme Provably Secure Against Adaptive Chosen-message Attack Huafei Zhu InfoComm Security Department, Institute for InfoComm Research. 21 Heng Mui Keng
More informationDigital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay
Digital Signatures Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay July 24, 2018 1 / 29 Group Theory Recap Groups Definition A set
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationRemove Key Escrow from The Identity-Based Encryption System
Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng, Richard Comley and Luminita Vasiu School of Computing Science, Middlesex University, White Hart Lane, London N17 8HR, UK. {m.z.cheng,r.comley,l.vasiu}@mdx.ac.uk
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationPairing-Based Identification Schemes
Pairing-Based Identification Schemes David Freeman Information Theory Research HP Laboratories Palo Alto HPL-2005-154 August 24, 2005* public-key cryptography, identification, zero-knowledge, pairings
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationShort signatures from the Weil pairing
Short signatures from the Weil pairing Dan Boneh, Ben Lynn, and Hovav Shacham Computer Science Department, Stanford University {dabo,blynn,hovav}@cs.stanford.edu Abstract. We introduce a short signature
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationSearchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
An extended abstract of this paper appears in Victor Shoup, editor, Advances in Cryptology CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, pages 205 222, Santa Barbara, California, August
More informationOne-Round ID-Based Blind Signature Scheme without ROS Assumption
One-Round ID-Based Blind Signature Scheme without ROS Assumption Wei Gao 1, Xueli Wang 2, Guilin Wang 3, and Fei Li 4 1 College of Mathematics and Econometrics, Hunan University, Changsha 410082, China
More information