Theoretical Computer Science. Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles
|
|
- Byron Townsend
- 5 years ago
- Views:
Transcription
1 Theoretical Computer Science 49 (203) Contents lists available at SciVerse ScienceDirect Theoretical Computer Science ournal homepage: Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles Jae Woo Seo a, Dae Hyun Yum b,, Pil Joong Lee a a Information Security Lab., Department of Electrical Engineering, POSTECH, Pohang, Gyungbuk, , Republic of Korea b Department of Information and Communication Engineering, Myongi University, Yongin, Gyeonggi-do, , Republic of Korea a r t i c l e i n f o a b s t r a c t Article history: Received 23 June 20 Received in revised form 8 April 202 Accepted 6 November 202 Communicated by X. Deng Keywords: Public key encryption Type-based proxy re-encryption Proxy invisibility Chosen-ciphertext security In a proxy re-encryption (PRE) scheme, a delegator gives a re-encryption key to a semitrusted proxy who, by using the re-encryption key, can transform a ciphertext encrypted under the delegator s public key into one that can be decrypted using a private key of another user (called a delegatee). To provide fine-grained delegation, type-based PRE (TB-PRE) was introduced in which the decryption right can be selectively delegated. The proxy in TB-PRE can only re-encrypt ciphertexts with a specific type selected by the delegator. Tang proposed the first proxy-invisible TB-PRE scheme where proxy invisibility means that an adversary cannot distinguish between original ciphertexts and re-encrypted ciphertexts. However, Tang s scheme is only secure against chosen-plaintext attacks. Jia et al. proposed a proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks with random oracle heuristic. To date, there is no TB-PRE scheme achieving both proxy invisibility and chosen-ciphertext security in the standard model (i.e., without random oracles). We propose the first proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks in the standard model. 202 Elsevier B.V. All rights reserved.. Introduction A proxy re-encryption (PRE) scheme [4,,7] allows that a semi-trusted proxy re-encrypts a ciphertext encrypted under one key into an encryption of the same plaintext under another key, but cannot learn any information about the message it re-encrypts. The PRE schemes have been used in various applications such as remote file storage [], digital rights management [5], access control system [3], social network or mailing list services [8,5], anonymous routing protocol [20,23], and revocation system [26,22]. PRE schemes can be classified into two categories according to the direction of delegation: bidirectional and unidirectional. A PRE scheme is called bidirectional if a re-encryption key can be used not only to convert ciphertexts from a delegator to a delegatee but also vice versa. Bidirectional PRE schemes are only useful when the trust relationship between a delegator and a delegatee is mutual. On the contrary, unidirectional PRE schemes do not allow the re-encryption key to be used in converting ciphertexts from a delegatee to a delegator and thus can be adopted even when the trust relationship is not mutual. Note also that bidirectional schemes can be constructed from unidirectional schemes. PRE schemes can also be classified into single-hop and multi-hop. A ciphertext in a single-hop PRE scheme can be re-encrypted only once while that of a multi-hop PRE scheme can be re-encrypted many times; the construction of a multi-hop unidirectional PRE scheme is known to be an open problem. We focus on single-hop unidirectional schemes. This work was supported by 202 Research Fund of Myongi University, IT Consilience Creative Program (C ) and ITRC (NIPA-202- H ) of MKE and NIPA. Corresponding author. Tel.: addresses: wseo@postech.ac.kr (J.W. Seo), dhyum@mu.ac.kr (D.H. Yum), pl@postech.ac.kr (P.J. Lee) /$ see front matter 202 Elsevier B.V. All rights reserved. doi:0.06/.tcs
2 84 J.W. Seo et al. / Theoretical Computer Science 49 (203) The decryption right of PRE is delegated in an all-or-nothing manner; the proxy can transform any ciphertext encrypted under the delegator s public key into one under the delegatee s public key. However, there are applications where the delegator wants to delegate the decryption right for a subset of ciphertexts. For example, when Alice on vacation wants to delegate the decryption right for the encrypted s with the keyword urgent to Bob, the all-or-nothing delegation is not enough. Type-based PRE (TB-PRE) [2,4] provides fine-grained delegation, where a re-encryption key can transform ciphertexts with a specific type (e.g., a keyword). In other words, the delegator categorizes messages into different subsets (according to types) and is able to delegate the decryption right of each subset separately. In literature, TB-PRE is also referred to as conditional PRE [24,25,0] where a condition is equivalent to a type. The fine-grained delegation according to time periods was studied in temporary PRE [,6,7]. In privacy-sensitive contexts, proxy invisibility (also called ciphertext privacy) is a valuable attribute, which requires that all re-encrypted ciphertexts are indistinguishable from ciphertexts originally generated for the delegatee. Tang [2] introduced the first proxy-invisible TB-PRE scheme that is secure against chosen-plaintext attacks (CPA). Jia et al. [4] proposed a proxy-invisible TB-PRE scheme that is secure against chosen-ciphertext attacks (CCA) in the random oracle model. Whereas the random oracle methodology [3] that assumes public oracle access to a truly random function is a useful tool for designing a cryptosystem, the security of the cryptosystem proven in the random oracle model does not guarantee its security in the real world where random oracles do not exist; several uninstantiable random-oracle-model cryptosystems [6,9,2,2,9] are secure in the random oracle model, but are provably insecure under any actual instantiation of the oracle. Jia et al. [4] left the construction of proxy-invisible TB-PRE without random oracles as an open problem. In this work, we propose a TB-PRE scheme that achieves both the standard-model CCA security (i.e., without random oracles) and the proxy invisibility. To satisfy two security notions simultaneously, our construction is based on the ideas of the first standard-model CCA-secure (non-type-based) PRE scheme [6] and the fully secure anonymous identity-based encryption scheme []. In [6], the CHK methodology [7] and the blind exponentiation technique that re-randomizes ciphertexts via a blinding factor are employed for the standard-model CCA security. We use these techniques to achieve the standard-model CCA security. In [], a private key generator of identity-based encryption combines the master key and an identity in the form of an inverse number for anonymity. Similarly, to generate a re-encryption key, we combine the delegator s private key and a type into an inverse form for proxy invisibility. The security proof of the proposed scheme is given in a formal security model. 2. Preliminaries 2.. Bilinear maps Let G and G T are two (multiplicative) cyclic groups of prime order p. The (admissible) bilinear map e : G G G T between these two groups should satisfy the following properties:. Bilinear: we have e(g a, h b ) e(g, h) ab for all g, h G and a, b Z; 2. Non-degenerate: if g is a generator of G then e(g, g) ; 3. Computable: there is an efficient algorithm to compute e(g, h) for any g, h G Complexity assumptions The q-weak Decision Bilinear Diffie Hellman Inversion (q-wdbdhi) assumption [7,6,0] is as follows: given the tuple (g, g α,..., g αq, g, Z) as input, it is infeasible to decide whether Z e(g, g) /α or Z R in G T, where g and g are random in G and R is random in G T. Formally, an algorithm B has advantage ϵ in solving the q-wdbdhi problem if Pr B(g, g α,..., g αq, g, e(g, g) /α ) 0 Pr B(g, g α,..., g αq, g, R) 0 ϵ, where the probability is over the random choice of generator g, g G, the random choice of α Z p, the random choice of R G T, and the internal coin tosses of B. We refer to the distribution over (g, g α,..., g αq, g, e(g, g) /α ) on the left as P q-wbdhi and the distribution over (g, g α,..., g αq, g, R) on the right as R q-wbdhi. Definition. We say that (t, q, ϵ)-q-wdbdhi assumption holds in G if no t-time algorithm B has advantage at least ϵ in solving the q-wdbdhi problem in G One-time signatures A one-time signature scheme allows the signature of only a single message using a given signing key. The syntax of onetime signature schemes is the same as that of ordinary signature schemes and the one-timeness is enforced by the security definition. Tang [2] also proposed a TB-PRE scheme that is secure against chosen-ciphertext attacks in the random oracle model but is not proxy-invisible.
3 J.W. Seo et al. / Theoretical Computer Science 49 (203) Definition 2. A (one-time) signature scheme consists of a triple of algorithms Sig (G, S, V) such that: - G, the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a signing key ssk and a verification key svk; (ssk, svk) G(λ). - S, the signing algorithm, is a possibly probabilistic algorithm that, given a signing key ssk and a message m, outputs a signature σ on m; σ S(ssk, m). - V, the verification algorithm, is a deterministic algorithm that, a verification key svk, given a signature σ, and a message m, outputs a bit b {0, } (where b signifies acceptance and b 0 signifies reection ); b V(svk, σ, m). We require that for any message m and any key pair (ssk, svk) that is generated by G( ), we have V(svk, σ, m) if σ S(ssk, m). As in [7], we consider strongly unforgeable one-time signatures. Definition 3. A one-time signature Sig (G, S, V) is strongly unforgeable if the advantage (ssk, svk) G(λ), Adv Sig V(svk, σ Pr (m, st) F (svk), σ S(ssk, m),, m ) (m, σ (m ) F (m, σ, svk, st), σ ) (m, σ ) is negligible for any probabilistic polynomial-time (PPT) algorithm F, where st is F s state information. 3. Type-based proxy re-encryption 3.. Syntax The syntactic definition for the (single-hop unidirectional) TB-PRE schemes is as follows. Definition 4. A (single-hop unidirectional) type-based proxy re-encryption scheme consists of a tuple of algorithms (Setup, Keygen, Rekeygen, Enc, Enc 2, Renc, Dec, Dec 2 ) such that: - Setup, the global parameter generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a global parameter param to be used by all parties; param Setup(λ), where we omit a global parameter in other algorithms for simplicity. - Keygen, the key generation algorithm, is a probabilistic algorithm that, given a security parameter λ, outputs a public key and a secret key; (pk, sk) Keygen(λ). - Rekeygen, the re-encryption key generation algorithm, is a possibly probabilistic algorithm that, given a user i s private key sk i, a user s public key pk, and a type t, outputs the re-encryption key rk t i re-encrypting from the user i to the user for the type t; rk t i Rekeygen(sk i, pk, t). - Enc, the first level encryption algorithm, is a probabilistic algorithm that, given a user s public key pk and a message m, outputs a first level ciphertext (that cannot be re-encrypted for another user); C Enc (pk, m). - Enc 2, the second level encryption algorithm, is a probabilistic algorithm that, given a user i s public key pk i, a message m, and a type t, outputs a second level ciphertext (that can be re-encrypted into a first level ciphertext for another user); C i Enc 2 (pk i, m, t). - Renc, the re-encryption algorithm, is a possibly probabilistic algorithm that, given a re-encryption key rk t i and a second level ciphertext C i, re-encrypts the second level ciphertext C i into a first level ciphertext C. It outputs the first level ciphertext C or the special character indicating an error; C Renc(rk t, i C i). - Dec, the first level decryption algorithm, is a deterministic algorithm that, given a user s private key sk and a first level ciphertext C, outputs a message m or the special character indicating an error; m Dec (sk, C ). - Dec 2, the second level decryption algorithm, is a deterministic algorithm that, given a user i s private key sk i and a second level ciphertext C i, outputs a message m or the special character indicating an error; m Dec 2 (sk i, C i ). For any common public parameter param, any message m, and any couple of private/public key pair (sk i, pk i ), (sk, pk ), the algorithms should satisfy the following correctness properties: Dec (sk, Enc (pk, m)) m; Dec 2 (sk i, Enc 2 (pk i, m, t)) m; Dec (sk, Renc(Rekeygen(sk i, pk, t), Enc 2 (pk i, m, t))) m Security model As in [6,7], we assume that honest users and corrupt users are determined at the beginning of the game and the adversary can decrypt the ciphertexts for honest users by using re-encryption keys. The adversary can have access to all the re-encryption keys except in the case that the challenge ciphertext is trivially decrypted. That is, the adversary can make re-encryption key generation queries adaptively and read the messages for the honest users even if it does not know the private key of honest users. We consider replayable CCA security in the standard model; the adversary is not allowed to ask
4 86 J.W. Seo et al. / Theoretical Computer Science 49 (203) for decryption of a re-randomized version of the challenge ciphertext. As no non-replayable CCA-secure (type-based or nontype-based) PRE scheme in the standard model has been known to date and the replayable CCA security is arguably sufficient for most practical applications (see [8] for the argument), we consider replayable CCA security in the remainder of this paper. Three security notions should be addressed for TB-PRE: second level ciphertext security, first level ciphertext security, and proxy invisibility. Note that the first level ciphertext security implies master secret security in which no coalition of dishonest delegatees be able to pool their re-encryption keys in order to expose the private key of their common delegator [7]. Second level ciphertext security. This security notion requires that the adversary cannot learn any information about the message from second level ciphertexts even if it can access a re-encryption key generation oracle O rk, a re-encryption oracle O renc, and a first level decryption oracle O dec. A second level decryption oracle is unnecessary because second level ciphertexts can be translated into first level ciphertexts for other users (e.g., a corrupt user) by the re-encryption oracle queries and then decrypted by the first level decryption oracle. Definition 5. A type-based proxy re-encryption scheme is IND-t-Pr-RCCA at the second level if for any PPT adversary A, the probability param Setup(λ) {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, Pr (m 0, m, t, pk i, st) A O rk,o renc,o dec ({pk h }, {(pk x, sk x )}), b b b {0, }, C Enc 2 (pk i, m b, t ), b A O rk,o renc,o dec (C, st) is negligibly close to /2 in the security parameter λ, where (pk i, sk i ) ( {(pk h, sk h )}) is the key pair of the target user i generated by the challenger, t is the target type chosen by the adversary, (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively, and st is the state information maintained by A. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access to O rk, O renc and O dec oracles. The adversary A is not allowed to make queries O rk (pk i, pk x, t ), O renc (pk i, pk x, t, C ), and O dec ( pk, ˆ Ĉ), where ( pk, ˆ Ĉ) is a derivative of (pk i, C ). If Ĉ is a first level ciphertext and pk ˆ {pki, {pk h }}, we say that ( pk, ˆ Ĉ) is a derivative of (pki, C ) if Dec ( sk, ˆ Ĉ) {m0, m }. First level ciphertext security. This security notion requires that the adversary cannot learn any information about the messages from first level ciphertexts even if it can access a re-encryption key generation oracle O rk and a first level decryption oracle O dec. The re-encryption oracle is unnecessary because the adversary can access all re-encryption keys. Definition 6. A type-based proxy re-encryption scheme is IND-t-Pr-RCCA at the first level if for any PPT adversary A, the probability param Setup(λ) {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, Pr (m 0, m, pk i, st) A O rk,o dec ({pk h }, {(pk x, sk x )}), b b b {0, }, C Enc (pk i, m b ), b A O rk,o dec (C, st) is negligibly close to /2 in the security parameter λ, where (pk i, sk i ) ( {(pk h, sk h )}) is the key pair of the target user i generated by the challenger, (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively, and st is the state information maintained by A. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access to O rk and O dec oracles. The adversary A is not allowed to make queries O dec ( pk, ˆ Ĉ), where ( pk, ˆ Ĉ) is a derivative of (pki, C ). In Definitions 5 and 6, the oracles, O rk, O renc, and O dec, work as follows: - A re-encryption key generation oracle O rk (pk i, pk, t) takes as input the public key of a delegator pk i, the public key of a delegatee pk, and a type t. It outputs the re-encryption key rk t i Rekeygen(sk i, pk, t) that delegates the decryption right from the user i to the user for the type t. - A re-encryption oracle O renc (pk i, pk, t, C i ) takes as input the public key of a delegator pk i, the public key of a delegatee pk, a type t, and a ciphertext C i. It outputs the re-encrypted ciphertext C Renc(rk t i, C i) or the special character indicating an error if the given ciphertext C i is invalid. - A first level decryption oracle O dec (pk i, C i ) takes as input the public key of a receiver pk i and a ciphertext C i. It outputs a message m Dec (sk i, C i ) or the special character indicating an error if the given ciphertext C i is invalid. Proxy invisibility. This security notion requires that the adversary cannot distinguish between ciphertexts re-encrypted by a proxy and ciphertexts originally generated for the delegatee.
5 J.W. Seo et al. / Theoretical Computer Science 49 (203) Definition 7. A type-based proxy re-encryption scheme is proxy-invisible if for any PPT adversary A, the probability Pr param Setup(λ), {(pk h, sk h ) Keygen(λ)}, {(pk x, sk x ) Keygen(λ)}, b {0, }, b A O rk, O b,renc/enc ({pk h }, {(pk x, sk x )}) b b is negligibly close to /2 in the security parameter λ, where (pk h, sk h ) and (pk x, sk x ) are the key pairs of an honest user and a corrupt user, respectively. The adversary A is given a set of the public keys of honest users and of the key pairs of corrupt users, and can access O rk and O b,renc/enc oracles. The renc-or-enc oracle is initialized with a random bit b {0, } and works as follows: - A renc-or-enc oracle O b,renc/enc (pk i, pk, m, t) takes as input the public key of a delegator pk i, the public key of a delegatee pk, a message m, and a type t. If b 0, it outputs C Enc (pk, m). Otherwise, it outputs C Renc(rk t i, C i) where C i Enc 2 (pk i, m, t) and rk t i Rekeygen(sk i, pk, t). For proxy invisibility, the output distributions of the re-encryption algorithm and the encryption algorithm at the first level should be indistinguishable. That is, the following distributions D Renc and D Enc should be indistinguishable for any key pair (pk, sk), any message m, and any type t: D Enc {C C Enc (pk, m)}; D Renc {C C i Enc 2 (pk i, m, t), rk t i Rekeygen(sk i, pk, t), C Renc(rk t i, C i)}. 4. CCA-secure TB-PRE with proxy invisibility We now present proxy-invisible TB-PRE that is CCA-secure in the standard model. 4.. Construction For simplicity, we assume that the verification keys of one-time signatures and types are encoded as elements from Z p. In practice, a collision-resistant hash function should be applied to map them onto Z p. Setup(λ): Given a security parameter λ, the setup algorithm chooses groups G and G T of order p (>2 λ ) with the bilinear map e : G G G T and a strongly unforgeable one-time signature Sig (G, S, V). It picks random generators g, h, u, v G and the set of types T {t,..., t q } where t i Z p. The global parameter is param {G, G T, g, h, u, v, Sig, T}. Keygen(λ): To generate a public/private key pair, a user i chooses random x i, y i Z p and sets X i g x i and Y i h y i. The public key and private key of the user i are pk i (X i, Y i ), sk i (x i, y i ). Rekeygen(sk i, pk, t): On input of a user i s private key (x i, y i ), a user s public key (X, Y ), and a type t T, the user i sets the re-encryption key rk t i (t, rk) (t, Y /(x i t) ) re-encrypting from the user i to the user for a type t. The user i sends the re-encryption key rk t i to a proxy. Enc (pk i, m): To encrypt a message m G T under the public key pk i at the first level, the sender selects a one-time signature key pair (ssk, svk) G(λ), picks random s, r Z p, and sets c Y r i, c g /r, c 2 g s/r, c 3 m e(g, h) s, c 4 (u svk v) s. Then, the sender generates a one-time signature σ S(ssk, (c 3, c 4 )). The first level ciphertext is C i (svk, c, c, c, 2 c 3, c 4, σ ). Enc 2 (pk i, m, t): To encrypt a message m G T with a type t T under the public key pk i at the second level, the sender selects a one-time signature key pair (ssk, svk) G(λ), picks random s Z p, and sets c t, c 2 X s i g s t, c 3 m e(g, h) s, c 4 (u svk v) s. Then, the sender generates a one-time signature σ S(ssk, (c 3, c 4 )). The second level ciphertext is C i (svk, c, c 2, c 3, c 4, σ ).
6 88 J.W. Seo et al. / Theoretical Computer Science 49 (203) Renc(rk t, i C i): On input of the re-encryption key rk t (t, rk) i and a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), the proxy first checks whether c t or not. If c t, it outputs. Otherwise, the proxy tests the following relations. V(svk, σ, (c 3, c 4 )) () e(c 2, u svk v) e(x i g c, c 4 ). (2) If the test fails, the proxy outputs. Otherwise, it picks random w Z p and computes c rkw Y w/(x i t), c (X ig c ) /w g (x i t)/w, c 2 c/w 2 g s (x i t)/w. The re-encrypted ciphertext for user is C (svk, c, c, c, 2 c 3, c 4, σ ). Dec (sk, C ): On input of a user s private key sk (x, y ) and a first level ciphertext C (svk, c, c, c, 2 c 3, c 4, σ ), the user checks the validity of the ciphertext by testing the following relations. V(svk, σ, (c 3, c 4 )) (3) e(c c c 4) e(g, Y )e(u svk v, c 2 ). (4) If the check is fails, output. Otherwise the user outputs a message, m c 3 e(c 2, c )/y. Dec 2 (sk i, C i ): On input of a user i s private key sk i (x i, y i ) and a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), the user i checks the validity of the ciphertext by testing Eqs. () and (2). If the check fails, then is returned. Otherwise, the user i outputs a message, m c 3 e(c 2, h) /(x i c ). A TB-PRE scheme should satisfy the correctness property, saying that originally encrypted or re-encrypted ciphertexts can be decrypted by the legitimate receiver; if the ciphertext produced by a sender or a proxy is well-formed, the ciphertext should be correctly decrypted at each level. Dec (sk, Renc(rk t i, C i)) c 3 e(c 2, c )/y c 3 e(g s (x i t)/w, Y w/(x i t) ) /y (5) m e(g, h) s e(g s, Y ) /y m Dec 2 (sk i, C i ) c 3 e(c 2, h) /(x i c ) m e(g, h) s e(g s (x i t), h) /(x i t) m e(g, h) s e(g, h s ) m. If a second level ciphertext is re-encrypted, then the re-encrypted ciphertext has the same form as a first level ciphertext (i.e., originally encrypted ciphertext for a delegatee). Recall that the re-encrypted ciphertext is C (svk, c, c, c, 2 c 3, c 4, σ ) where c Y w/(x i t), c g(xi t)/w, and c 2 g s (xi t)/w. If we let r w/(x i t), then c, c, c 2 of the re-encrypted ciphertext can be written as c Y w/(x i t) Y r, c g(x i t)/w g / r, c 2 g s (x i t)/w g s/ r. which is a well-formed first level ciphertext. The validity check processes on two types of ciphertexts are required in order to achieve CCA security. In the re-encryption algorithm, Eq. (2) guarantees that c 2 and c 4 has the same exponent s with respect to bases (X i g t ) and (u svk v), respectively, from which we have e(c 2, h) e(g s(xi t), h); note that this relation is necessary for the second level decryption process (i.e., Eq. (6)). In the first level decryption algorithm, Eq. (4) ensures that c s c 2 and thus we have e(c, 2 c ) e(g s, Y ) which is necessary for the first level decryption process (i.e., Eq. (5)). (6) 4.2. Security We prove that the proposed TB-PRE scheme is CCA-secure at the second level in Theorem and at the first level in Theorem 2. Proxy-invisibility is proved in Theorem 3. Theorem. The proposed TB-PRE scheme is IND-t-Pr-RCCA at the second level if the one-time signature Sig is strongly unforgeable and the q-wdbdhi assumption holds in G.
7 J.W. Seo et al. / Theoretical Computer Science 49 (203) Proof. Let A be an adversary that breaks the IND-t-Pr-RCCA security at the second level with advantage ϵ. We construct an algorithm B that solves the q-wdbdhi problem by interacting with A. The algorithm B takes as input a random q-wdbdhi challenge (g, g,..., g q, g, Z) where g τ g ατ for τ {0,,..., q}. If Z e(g, g) /α, then the distribution of the challenge is on P q-wbdhi. Otherwise, the distribution is on R q-wbdhi. B decides if Z e(g, g) /α out of the successful IND-t-Pr-RCCA adversary A. The algorithm B proceeds as follows. Before describing B, we define an event F Sig. Assuming that C (svk, c, c, 2 c, 3 c, σ 4 ) is the challenge chiphertext, F Sig is the event that A issues a decryption query for a first level ciphertext C (svk, c, c, c, 2 c 3, c 4, σ ) or a re-encryption query for a second level ciphertext C (svk, c, c 2, c 3, c 4, σ ) where (c 3, c 4, σ ) (c, 3 c, σ 4 ) but V(σ, svk, (c 3, c 4 )). This event occurs when A selects the one-time verification key svk in the find phase or when A forges a signature on (c 3, c 4 ) (c, 3 c ) 4 in the guess phase. In the find phase, A can learn no information about svk since svk is chosen at random. Therefore, the probability for the event F Sig is Pr[F Sig ] (q renc + q dec )/p + Adv Sig where q renc and q dec are the maximum number of the re-encryption oracle queries and the first level decryption oracle queries, respectively. If the event F Sig occurs, B terminates the game and returns a random bit. However, by the strong unforgeability of the one-time signature, the probability Pr[F Sig ] must be negligible. Let HU be the set of honest users including the target user i and CU be the set of corrupt users. By Definition 5, B first generates the global parameter param, the public keys of honest users, and the key pairs of corrupt users. B gives these values to A. - Setup: B generates a type set T {t,..., t q } for t i Z p and chooses a type t at random where q types are all distinct. If α T, then B uses α to solve the q-wdbdhi problem. Otherwise, it defines a polynomial f (x) q τ,tτ t (x+t t τ ) of degree q, expands f (x), and writes f (x) q ν τ x τ where ν 0,..., ν q Z p are the coefficients of the polynomial f (x). It picks random ς Z p and sets, q h g ςf (α) ς ν g τ τ. It chooses a strongly unforgeable one-time signature Sig (G, S, V), generates a one-time signature key pair (ssk, svk ) G(λ), and sets u g γ, v g γ svk g γ 2 for random γ, γ 2 Z p. Since ς, γ, and γ 2 are uniformly distributed, the global parameters param {G, G T, g, h, u, v, Sig, T} have a distribution identical to those in the actual construction. - Key generation: The target user s public key is set as, for random y Z p, q pk i (X i, Y i ) (g x i, h y i ) g g t, h y α y ς ν g τ τ, τ where the private key sk i (x i, y i ) (α + t, yα) is unknown. For a user i HU \ {i }, B sets the public key pk i (g x i, h y i α ) for a random x i, y i Z p, where the private key is (x i, y i α). For a user CU, B sets the private key sk (x, y ) and the public key pk (g x, h y ) for random x, y Z p. To simulate A s environment successfully, B should predict the target user i and the challenge type t given by A in the challenge phase; the probability of B s successful guess is at least /(nq) where n HU, and /(nq) is non-negligible as long as both n and q are polynomial. During the find and guess phases, A requests adaptive queries to the re-encryption key generation oracle O rk (,, ), the re-encryption oracle O renc (,,, ), and the first level decryption oracle O dec (, ). B responds to the oracle queries as follows, where we assume that i. - O rk (pk i, pk, t κ ): The queries are classified into four cases. Let F (x) t κ be the q 2 degree polynomial F tκ (x) f (x)/(x + t t κ ) q τ,tτ t,tκ (x + t t τ ). We can write F (x) q 2 µ t κ τ x τ where µ 0,..., µ q 2 Z p are the coefficients of the polynomial F t κ (x). (i) If i HU \ {i } and {HU, CU}, B simply computes the re-encryption key, rk t κ i Rekeygen(sk i, pk, t κ ) since it knows all x i except for that of the target user. When computing the re-encryption key, the information of y i α that is unknown is not required. (ii) If i i, HU and t κ t, then B sets rk Y /(x i t κ ) g ς y αf (α)/(α+t tκ ) g ς y αf tκ (α) q ς y µ g τ τ. τ
8 90 J.W. Seo et al. / Theoretical Computer Science 49 (203) (iii) If i i, HU and t κ t, then B sets rk Y /(x i t κ ) h y α/(α+t tκ ) h y. (iv) If i i, CU and t κ t, then B sets rk Y /(x i t κ ) g ς y f (α)/(α+t tκ ) g ς y F tκ (α) q 2 ς y µ g τ τ. B returns the re-encryption key rk t κ i (t κ, rk) to A. In the case of O rk (pk i, pk, t ) for CU, which means that B was unfortunate in its choice of i and t at the Setup process, B terminates the simulation and returns a random bit. - O renc (pk i, pk, t κ, C i ): Given a second level ciphertext C i (svk, c, c 2, c 3, c 4, σ ), B checks if t κ c. If t κ c, B returns. Otherwise, B checks the validity of other components of the ciphertext by testing if Eqs. () and (2) hold. If the relations do not hold, B returns. Otherwise, B performs the following processes. (i) If i i, CU and t κ t, (a) If svk svk, this case is included in the event of F Sig or C i C. In the find phase, the case svk svk occurs when A uses the challenge key pair (ssk, svk ) to generate the ciphertext C i even though A does not have no information about (ssk, svk ). In the guess phase, the case svk svk occurs when A forges a new signature on new (c 3, c 4 ) or queries the challenge ciphertext C. When C i C, B does not respond to the query because the re-encryption query of the challenge ciphertext C for a corrupt user CU and the challenge type t is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (b)if svk svk, B picks random w Z p and assumes w w α, then c Y w/(x i t κ ) h y w α/(α+t tκ ) h y w, c X i g t κ /w g (x i tκ )/w g (α+t tκ )/( w α) g / w. Before computing c 2, B computes c4 γ (svk svk ) c γ 2 2 g s γ (svk svk ) g s γ 2 g s(α+t tκ )γ 2 γ (svk svk ) g s γ (svk svk ) g s γ 2 γ (svk svk ) g s γ g s, 2 where B knows γ, γ 2, and svk. Then, B computes c 2 c/w 2 g s(x i tκ )/w g s α/( w α) g s/ w. (ii) Except in the case (), B can compute the re-encryption keys rk t κ i re-encrypting from the user i to the user for the type t κ. Then, B simply re-encrypts the ciphertext C i by performing the usual re-encryption algorithm, C Renc(rk t κ, i C i). - O dec (pk i, C i ): Given a first level ciphertext C i (svk, c, c, c 2, c 3, c 4, σ ), B returns if Eqs. (3) and (4) do not hold. Otherwise, B returns a message m to A. (i) If svk svk, this case implies that F Sig occurs or (pk i, C i ) is a derivative of (pk, i C ). In the find phase, the case svk svk occurs when A uses the challenge key pair (ssk, svk ) to generate the ciphertext C i. In the guess phase, the case svk svk occurs when (pk i, C i ) is a derivative of (pk, i C ) or A forges a new signature on new (c 3, c 4 ). When σ σ, B does not respond to the query because the query for a derivative of (pk, i C ) is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (ii) If svk svk, B responds to the query in three cases. When i HU \ {i }, B first computes e(c 4, h) e(c 2, c ) γ 2 yi γ (svk svk ) e((u svk v) s, h) e(g, h y i α ) s γ 2 y i γ (svk svk ) e(g s γ (svk svk ) g s γ 2 e(g, h) s, e(g s γ 2, h), h) γ (svk svk ) where e(c 2, c ) e(g, Y i) s by Eq. (4). Then B computes m c 3 e(g, h) s. When i i, y i is replaced with y in the above computation. When i CU, B can easily decrypt the ciphertext by using the known private key y i.
9 J.W. Seo et al. / Theoretical Computer Science 49 (203) The responses of the re-encryption and the first level decryption oracles do not give any information to A and also do not help A distinguish between the simulation and the actual construction, since the validity check of input ciphertexts reects all non-well-formed ciphertexts except for negligible probability. When the find phase is over, A submits the challenge messages (m 0, m ), the challenge type t, and the target user i, where the probability that A submits (t, i ) is /(nq). Then B picks random b {0, } and generates the challenge ciphertext C (svk, c, c, 2 c, 3 c, σ 4 ) where q 2 ς c t, c 2 g, c 3 m b e Z ς ν0, c 4 g γ 2, σ S(ssk, (c 3, c 4 )), g, g ν τ+ τ for random s β/α where β log g g. If q-wdbdhi challenge is on P q-wdbdhi, C is a valid ciphertext since c 2 g β α (α+t t ) g, c 4 (usvk v) s (g γ (svk svk ) γ g 2 ) β α g γ 2, c 3 m b e(g, h) β q α q 2 α m b e g, mb e g, g ς ν τ τ g ν τ+ τ ς e(g, g) ς ν 0 α. The adversary A s view is identical to the view in the real attack environment. In contrast, if q-wdbdhi challenge is on R q-wdbdhi, Z has a random distribution on G T. Thus A cannot guess b with probability better than /2. The adversary A finally outputs a guess b {0, } and then B concludes its own game by outputting a guess as follows. If b b then B decides that q-wdbdhi challenge is on P q-wdbdhi and outputs. Otherwise, B decides that q-wdbdhi challenge is on R q-wdbdhi and outputs 0. Therefore, we have Pr[B(g, g,..., g q, g, e(g, g) α ) 0] Pr[B(g, g,..., g q, g, R) 0] ϵ nq, where Pr[F Sig ] is omitted because its probability is negligible. Theorem 2. The proposed TB-PRE scheme is IND-t-Pr-RCCA at the first level if the one-time signature Sig is strongly unforgeable and the q-wdbdhi assumption holds in G. Proof. Unlike the game of the second level ciphertext security, the adversary in the game of the first level ciphertext security can access all the re-encryption keys. Thus the re-encryption oracle is not required during the simulation. Let A be the adversary that breaks the IND-t-Pr-RCCA security at the first level with advantage ϵ. We construct an algorithm B that solves the q-wdbdhi problem by interacting with A. The algorithm B proceeds as follows. Before describing B, we define an event F Sig as in Theorem. The difference is that the event F Sig only occurs during a decryption query. Therefore, the probability for the event F Sig is Pr[F Sig ] q dec /p + Adv Sig where q dec is the maximum number of the first level decryption oracle queries. If the event F Sig occurs, B terminates the simulation and returns a random bit. Assuming the strong unforgeability of the one-time signature, the event F Sig occurs with negligible probability. In the below description, we omit the overlap with Theorem for simplicity. - Setup: B generates a type set T {t,..., t q } for t i Z p where q types are all distinct. If α T, B uses α to solve the q-wdbdhi problem. Otherwise, it defines a polynomial f (x) q τ (x t τ ) of degree q, expands f (x), and writes f (x) q ν τ x τ where ν 0,..., ν q Z p are the coefficients of the polynomial f (x). It picks random ς Z p and sets, q h g ςf (α) ς ν g τ τ. It chooses a strongly unforgeable one-time signature Sig (G, S, V), generates a one-time signature key pair (ssk, svk ) G(λ), and sets u g γ, v g γ svk g γ 2 for random γ, γ 2 Z p. The algorithm B sends the adversary A the global parameter param {G, G T, g, h, u, v, Sig, T}. - Key generation: The target user s public key is set as, for random y Z p, q pk i (X i, Y i ) (g x i, h y i ) g, h y α y ς ν g τ τ, τ where the private key sk i (x i, y i ) (α, yα) is unknown. For user i {HU, CU} \ {i }, B sets the private key sk i (x i, y i ) and the public key pk i (g x i, h y i) for random xi, y i Z p.
10 92 J.W. Seo et al. / Theoretical Computer Science 49 (203) To simulate A s environment successfully, B should predict the target user i. The probability is at least /n where n HU, and /n is non-negligible as long as n is polynomial. During the find and guess phases, A requests adaptive queries to the re-encryption key generation oracle O rk (,, ) and the first level decryption oracle O dec (, ). B responds to the queries as follows, where we assume that i. - O rk (pk i, pk, t κ ): Let F (x) t κ be the q 2 degree polynomial F tκ (x) f (x)/(x t κ) q τ,τ κ (x t τ ). We can write F (x) q 2 µ t κ τ x τ where µ 0,..., µ q 2 Z p are the coefficients of the polynomial F tκ (x). When i i, B computes, rk Y /(x i t κ ) g ς y f (α)/(α tκ ) g ς y F tκ (α) q 2 ς y µ g τ τ, and returns the re-encryption key rk t κ i (t κ, rk) to A. In other cases, B simply computes the re-encryption key, rk t κ i Rekeygen(sk i, pk, t κ ), since it knows all x i except for that of the target user. - O dec (pk i, C i ): Given a first level ciphertext C i (svk, c, c, c, 2 c 3, c 4, σ ), B returns if Eqs. (3) and (4) do not hold. Otherwise, B returns a message m to A. (i) If svk svk, this case implies that F Sig occurs or (pk i, C i ) is a derivative of (pk i, C ). When σ σ, B does not respond to the query because the query for a derivative of (pk i, C ) is not allowed. When F Sig happens, B terminates the simulation and returns a random bit. (ii) If svk svk, B responds to the query in two cases. When i i, B can compute m by using the same method as that of Theorem, e(c 4, h) e(c 2, c ) γ 2 y γ (svk svk ) e((u svk v) s, h) e(g, h y α ) s γ 2 y γ (svk svk ) e(g s γ (svk svk ) g s γ 2 e(g, h) s, e(g s γ 2, h), h) γ (svk svk ) where e(c 2, c ) e(g, Y i) s by Eq. (4). Then B computes m c 3 e(g, h) s. When i {HU, CU} \ {i }, B can easily compute m by using the known private key y i. When the find phase is over, A submits the challenge messages (m 0, m ) and the target user i, where the probability that A submits i is /n. Then B picks random b {0, } and generates the challenge ciphertext C (svk, c, c, c 2, c, 3 c, σ 4 ), c h y c, c g /c, c 2 g /c, q 2 ς c 3 m b e g, Z ς ν0, g ν τ+ τ c 4 g γ 2, σ S(ssk, (c 3, c 4 )), for random s β/α, r c/α where β log g g and c is random in Z p. If q-wdbdhi challenge is on P q-wdbdhi, C is a valid ciphertext since c Y r i hy α α c h y c, c g r g α c g /c, c 2 g s r g β α αc g /c, where c 3 and c 4 are the same as those of Theorem. A s view is identical to the view in the real attack environment. In contrast, if q-wdbdhi challenge is on R q-wdbdhi, Z has a random distribution on G T. Thus A cannot guess b with probability better than /2. The adversary A finally outputs a guess b {0, } and then B concludes its own game by outputting a guess as follows. If b b then B decides that q-wdbdhi challenge is on P q-wdbdhi and outputs. Otherwise, B decides that q-wdbdhi challenge is on R q-wdbdhi and outputs 0. Therefore, we have Pr[B(g, g,..., g q, g, e(g, g) α ) 0] Pr[B(g, g,..., g q, g, R) 0] ϵ n, where Pr[F Sig ] is omitted because its probability is negligible. Theorem 3. The proposed TB-PRE scheme is proxy-invisible. Proof. In Definition 7, the goal of the adversary A is to predict the random bit b of the renc-or-enc oracle. That is, the adversary should distinguish between the outputs of the re-encryption and the outputs of the first level encryption. In our scheme, these outputs have the same values on (svk, c 3, c 4, σ ), which does not help the adversary distinguish between original encryption and re-encryption. The difference between a first level ciphertext under pk and a re-encrypted
11 J.W. Seo et al. / Theoretical Computer Science 49 (203) ciphertext for a user can only happen in (c, c, c 2 ). These values have the same form and are computed by using different random exponents, r and w/(x i t), respectively. That is, the ciphertexts produced by the first level encryption algorithm have distribution on random r and the ciphertexts produced by the re-encryption algorithm have distribution on random w/(x i t). The ciphertexts produced by each algorithm are on uniform distributions because the random r, w Z p are chosen uniformly. To break the proxy-invisibility, the adversary A should distinguish between two uniform distributions, which is infeasible since two distributions are identical. Therefore, the proposed TB-PRE scheme satisfies proxy invisibility. References [] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy re-encryption schemes with applications to secure distributed storage, in: NDSS, The Internet Society, 2005, pp [2] M. Bellare, A. Boldyreva, A. Palacio, An uninstantiable random-oracle-model scheme for a hybrid-encryption problem, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 3027, Springer, 2004, pp [3] M. Bellare, P. Rogaway, Random oracles are practical: A paradigm for designing efficient protocols, in: ACM Conference on Computer and Communications Security, ACM, 993, pp [4] M. Blaze, G. Bleumer, M. Strauss, Divertible protocols and atomic proxy cryptography, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 403, Springer, 998, pp [5] R. Bobba, J. Muggli, M. Pant, J. Basney, H. Khurana, Usable secure mailing lists with untrusted servers, in: IDtrust, ACM, 2009, pp [6] R. Canetti, O. Goldreich, S. Halevi, The random oracle methodology, revisited (preliminary version), in: STOC, ACM, 998, pp [7] R. Canetti, S. Halevi, J. Katz, Chosen-ciphertext security from identity-based encryption, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 3027, Springer, 2004, pp [8] R. Canetti, H. Krawczyk, J.B. Nielsen, Relaxing chosen-ciphertext security, in: CRYPTO, in: Lecture Notes in Computer Science, vol. 2729, Springer, 2003, pp [9] Y. Dodis, R. Oliveira, K. Pietrzak, On the generic insecurity of the full domain hash., in: CRYPTO, in: Lecture Notes in Computer Science, vol. 362, Springer, 2005, pp [0] L. Fang, W. Susilo, J. Wang, Anonymous conditional proxy re-encryption without random oracle, in: ProvSec, in: Lecture Notes in Computer Science, vol. 5848, Springer, 2009, pp [] C. Gentry, Practical identity-based encryption without random oracles, in: EUROCRYPT, in: Lecture Notes in Computer Science, vol. 4004, Springer, 2006, pp [2] S. Goldwasser, Y.T. Kalai, On the (in)security of the Fiat Shamir paradigm, in: FOCS, IEEE Computer Society, 2003, pp [3] S. Jahid, P. Mittal, N. Borisov, EASiER: encryption-based access control in social networks with efficient revocation, in: ASIACCS, ACM, 20, pp [4] X. Jia, J. Shao, J. Jing, P. Liu, CCA-secure type-based proxy re-encryption with invisible proxy, in: CIT, IEEE Computer Society, 200, pp [5] S. Lee, H. Park, J. Kim, A secure and mutual-profitable DRM interoperability scheme, in: ISCC, IEEE Computer Society, 200, pp [6] B. Libert, D. Vergnaud, Unidirectional chosen-ciphertext secure proxy re-encryption, in: PKC, in: Lecture Notes in Computer Science, vol. 4939, Springer, 2008, pp [7] B. Libert, D. Vergnaud, Unidirectional chosen-ciphertext secure proxy re-encryption, IEEE Trans. Inform. Theory 57 (20) [8] M.M. Lucas, N. Borisov, FlyByNight: mitigating the privacy risks of social networking, in: WPES, ACM, 2008, pp. 8. [9] J.B. Nielsen, Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case., in: CRYPTO, in: Lecture Notes in Computer Science, vol. 2442, Springer, 2002, pp. 26. [20] M.G. Reed, P.F. Syverson, D.M. Goldschlag, Proxies for anonymous routing, in: ACSAC, IEEE Computer Society, 996, pp [2] Q. Tang, Type-based proxy re-encryption and its construction, in: INDOCRYPT, in: Lecture Notes in Computer Science, vol. 5365, Springer, 2008, pp [22] G. Wang, Q. Liu, J. Wu, Hierarchical attribute-based encryption for fine-grained access control in cloud storage services, in: CCS, ACM, 200, pp [23] X. Wang, J. Luo, A collaboration scheme for making peer-to-peer anonymous routing resilient, in: CSCWD, IEEE, 2008, pp [24] J. Weng, R.H. Deng, X. Ding, C.K. Chu, J. Lai, Conditional proxy re-encryption secure against chosen-ciphertext attack, in: ASIACCS, ACM, 2009, pp [25] J. Weng, Y. Yang, Q. Tang, R.H. Deng, F. Bao, Efficient conditional proxy re-encryption with chosen-ciphertext security, in: ISC, in: Lecture Notes in Computer Science, vol. 5735, Springer, 2009, pp [26] S. Yu, C. Wang, K. Ren, W. Lou, Attribute based data sharing with attribute revocation, in: ASIACCS, ACM, 200, pp
Type-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationUnidirectional Chosen-Ciphertext Secure Proxy Re-Encryption
Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption Benoît Libert, Damien Vergnaud To cite this version: Benoît Libert, Damien Vergnaud. Unidirectional Chosen-Ciphertext Secure Proxy Re-Encryption.
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationProxy Re-Signature Schemes without Random Oracles
An extended abstract of this paper appears in Indocrypt 2007, K. Srinathan, C. Pandu Rangan, M. Yung (Eds.), volume 4859 of LNCS, pp. 97-209, Sringer-Verlag, 2007. Proxy Re-Signature Schemes without Random
More informationChosen-Ciphertext Secure Proxy Re-Encryption without Pairings
Chosen-Ciphertext Secure Proxy Re-Encryption without Pairings Jian Weng 1,2, Robert H. Deng 1, Shengli Liu 3, Kefei Chen 3, Junzuo Lai 3, Xu An Wang 4 1 School of Information Systems, Singapore Management
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationConditional Proxy Broadcast Re-Encryption
Conditional Proxy Broadcast Re-Encryption Cheng-Kang Chu 1, Jian Weng 1,2, Sherman S.M. Chow 3, Jianying Zhou 4, and Robert H. Deng 1 1 School of Information Systems Singapore Management University, Singapore
More informationA Novel Strong Designated Verifier Signature Scheme without Random Oracles
1 A Novel Strong Designated Verifier Signature Scheme without Random Oracles Maryam Rajabzadeh Asaar 1, Mahmoud Salmasizadeh 2 1 Department of Electrical Engineering, 2 Electronics Research Institute (Center),
More informationCCA-Secure Proxy Re-Encryption without Pairings
CCA-Secure Proxy Re-Encryption without Pairings Jun Shao 1,2 and Zhenfu Cao 1 1 Department of Computer Science and Engineering Shanghai Jiao Tong University 2 College of Information Sciences and Technology
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More information(Convertible) Undeniable Signatures without Random Oracles
Convertible) Undeniable Signatures without Random Oracles Tsz Hon Yuen 1, Man Ho Au 1, Joseph K. Liu 2, and Willy Susilo 1 1 Centre for Computer and Information Security Research School of Computer Science
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAdaptively Secure Non-Interactive Threshold Cryptosystems
Adaptively Secure Non-Interactive Threshold Cryptosystems Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium) 2 Google Inc. and Columbia University (USA) Abstract.
More informationImproving the Security of an Efficient Unidirectional Proxy Re-Encryption Scheme
Improving the Security of an Efficient Unidirectional Proxy Re-Encryption Scheme Sébastien Canard Orange Labs - Applied Crypto Group Caen, France sebastien.canard@orange-ftgroup.com Julien Devigne Orange
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationCertificateless Proxy Re-Encryption Without Pairing: Revisited
Certificateless Proxy Re-Encryption Without Pairing: Revisited Akshayaram Srinivasan C. Pandu Rangan February 10, 2015 Abstract Proxy Re-Encryption was introduced by Blaze, Bleumer and Strauss to efficiently
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationUninstantiability of Full-Domain Hash
Uninstantiability of based on On the Generic Insecurity of, Crypto 05, joint work with Y.Dodis and R.Oliveira Krzysztof Pietrzak CWI Amsterdam June 3, 2008 Why talk about this old stuff? Why talk about
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationAvailable online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:
Available online at http://scik.org J. Math. Comput. Sci. 6 (2016), No. 3, 281-289 ISSN: 1927-5307 AN ID-BASED KEY-EXPOSURE FREE CHAMELEON HASHING UNDER SCHNORR SIGNATURE TEJESHWARI THAKUR, BIRENDRA KUMAR
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationOptimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample
Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample Fuchun Guo 1, Rongmao Chen 2, Willy Susilo 1, Jianchang Lai 1, Guomin Yang 1, and Yi Mu 1 1 Institute
More informationMulti-Use Unidirectional Proxy Re-Signatures
Multi-Use Unidirectional Proxy Re-Signatures Benoît Libert 1 and Damien Vergnaud 2 1 Université Catholique de Louvain, Microelectronics Laboratory Place du Levant, 3 1348 Louvain-la-Neuve Belgium 2 Ecole
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationCertificateless Signcryption without Pairing
Certificateless Signcryption without Pairing Wenjian Xie Zhang Zhang College of Mathematics and Computer Science Guangxi University for Nationalities, Nanning 530006, China Abstract. Certificateless public
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationAdaptively Secure Proxy Re-encryption
Adaptively Secure Proxy Re-encryption Georg Fuchsbauer 1, Chethan Kamath 2, Karen Klein 2, and Krzysztof Pietrzak 2 1 Inria and ENS Paris georg.fuchsbauer@ens.fr 2 IST Austria {ckamath,karen.klein,pietrzak}@ist.ac.at
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationProxy Re-encryption from Lattices
Proxy Re-encryption from Lattices Elena Kirshanova Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de Abstract. We propose a new unidirectional
More informationA ciphertext-policy attribute-based proxy reencryption with chosen-ciphertext security
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 A ciphertext-policy attribute-based proxy
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationOutline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.
Provable Security in the Computational Model III Signatures David Pointcheval Ecole normale supérieure, CNRS & INRI Public-Key Encryption Signatures 2 dvanced Security for Signature dvanced Security Notions
More informationSecurely Obfuscating Re-Encryption
Securely Obfuscating Re-Encryption Susan Hohenberger Guy N. Rothblum abhi shelat Vinod Vaikuntanathan June 25, 2007 Abstract We present a positive obfuscation result for a traditional cryptographic functionality.
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationCryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05
Cryptanalysis and improvement of an ID-based ad-hoc anonymous identification scheme at CT-RSA 05 Fangguo Zhang 1 and Xiaofeng Chen 2 1 Department of Electronics and Communication Engineering, Sun Yat-sen
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationON CIPHERTEXT UNDETECTABILITY. 1. Introduction
Tatra Mt. Math. Publ. 41 (2008), 133 151 tm Mathematical Publications ON CIPHERTEXT UNDETECTABILITY Peter Gaži Martin Stanek ABSTRACT. We propose a novel security notion for public-key encryption schemes
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationGeneric Constructions for Chosen-Ciphertext Secure Attribute Based Encryption
Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption Shota Yamada 1, Nuttapong Attrapadung 2, Goichiro Hanaoka 2 and Noboru Kunihiro 1 1 The University of Tokyo. {yamada@it., kunihiro@}
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationResearch Article Re-Encryption Method Designed by Row Complete Matrix
Hindawi Publishing Corporation Mathematical Problems in Engineering Volume 2012, Article ID 402890, 14 pages doi:10.1155/2012/402890 Research Article Re-Encryption Method Designed by Row Complete Matrix
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCryptographic Security of Macaroon Authorization Credentials
Cryptographic ecurity of Macaroon Authorization Credentials Adriana López-Alt New York University ecember 6, 2013 Abstract Macaroons, recently introduced by Birgisson et al. [BPUE + 14], are authorization
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationA New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack
A New Variant of the Cramer-Shoup KEM Secure against Chosen Ciphertext Attack Joonsang Baek 1 Willy Susilo 2 Joseph K. Liu 1 Jianying Zhou 1 1 Institute for Infocomm Research, Singapore 2 University of
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationRing Signatures without Random Oracles
Ring Signatures without Random Oracles Sherman S. M. Chow 1, Joseph K. Liu 2, Victor K. Wei 3 and Tsz Hon Yuen 3 1 Department of Computer Science Courant Institute of Mathematical Sciences New York University,
More informationf (x) f (x) easy easy
A General Construction of IND-CCA2 Secure Public Key Encryption? Eike Kiltz 1 and John Malone-Lee 2 1 Lehrstuhl Mathematik & Informatik, Fakultat fur Mathematik, Ruhr-Universitat Bochum, Germany. URL:
More information