Identity-based Hierarchical Key-insulated Encryption without Random Oracles
|
|
- Hector Henry
- 5 years ago
- Views:
Transcription
1 Identity-based Hierarchica Key-insuated Encryption without Random Oraces Yohei Watanabe 1,3 Junji Shikata 1,2 1 Graduate Schoo of Environment and Information Sciences, YNU, Japan 2 Institute of Advanced Sciences, YNU, Japan 3. ITRI, AIST, Japan
2 Key Insuation [DKXY02] One of soutions to key exposure probem 2. Even if is exposed, the security is not compromised uness at east one is exposed 1. If a number of are exposed, the fact does not affect at other time-periods The scheme is secure if it satisfies 1 strongy secure if it satisfies both 1 and 2 2
3 Hierarchica Key Insuation [HHSI05] There seem to be various practica appications! 3
4 Identity-based Hierarchica Key-insuated Encryption [HHSI05] Abbreviated to ``hierarchica IKE Identity-based encryption (IBE) with hierarchica key insuation Intuition: NOT hierarchica IBE (HIBE) with key insuation First proposed by Hanaoka et a. at ASIACRYPT 2005 [HHSI05] In the random orace mode (ROM) However, NO known hierarchica IKE schemes w/o ROM! 4
5 Our Contribution We propose an -eve hierarchica IKE scheme that achieves: (1) Strong security in the standard mode from simpe assumptions Using asymmetric pairing From Symmetric externa Diffie-Heman (SXDH) assumption Based on Juta-Roy HIBE [JR13] and its variant [RS14] (2) Space efficiency (any parameters do not depend on ID-space sizes) Constant-size parameters when the hierarchy is one (i.e. = 1) Pubic parameters of the existing scheme [WLC+08] depend on ID-space sizes due to the underying Waters IBE [wat05] Why is achieving (1) and (2) chaenging? (more on this ater) Hierarchica IKE from any HIBE does not satisfy strong security Proof technique of Waters dua-system IBE [Wat09] does not work we 5
6 Type-3 Pairing and SXDH Assumption Type-3 Pairing (asymmetric pairing) e: G 1 G 2 G T No efficienty computabe isomorphisms between G 1 and G 2 are known SXDH Assumption [BBS04] Decisiona Diffie Heman (DDH) assumptions hod in G 1 and G 2, respectivey Advantage of A in the DDHi game (i {1, 2}) is defined by: Adv λ Pr b = b D p, G 1, G 2, G T, g 1, g 2, e G c 1, c 2 Z p, b 0, 1 if b = 0 then T g i c 1 c 2 ese T G i b A D, g i c 1, g i c 2, T. 6
7 Time-period Map Function [HHSI05] Functions for severa kinds of time-periods T 0,, T 1 Exampe: = 4, time= 9:59 / 7th / Oct. / 2015 T 0 time = t 19 0 = 1st 15th / Oct. / 2015, T 1 time = t 10 1 = Oct. / 2015, T 2 time = t 5 2 = Set. Oct. / 2015, T 3 time = t 2 3 = Ju. Dec. /
8 Hierarchica IKE: Mode Exampe: = 2 time,time t i time Δ T i 1 (time) if t i = T i time i otherwise T 0 (time) τ i 1 t i 1 t i 1 time (i 1) 8
9 Hierarchica IKE: Security IND-KE-CPA security: KG orace M 0, M 1, time * A C b A KI orace i time C Enc(, time, M b ) Limitation of KI orace A can issue any queries if there exists at east one specia eve j 0,, incude strong security Hierarchy 4 3 j i T i (time) : Keys for that A can obtain 9 time *
10 Why Hierarchica IKE from HIBE is Insufficient -eve Hierarchica IKE ( + 1)-eve HIBE 2 (, t 1,, t 2 ) If secret key for is eaked, a other secret keys can be generated the resuting scheme does not meet strong security does not meet IND-KE-CPA security! 10
11 Why Waters Technique Does Not Work Waters dua system IBE [Wat09] Ciphertext ct contains tag C and secret key sk I contains tag K Important proof technique: Some pairwise independent function is embedded into the pubic parameter for canceing vaues It raises tag C = tag K for the same identity However, the proof works we since it is enough to generate Ony tag K for a identities Ony tag C for the target identity On the other hand, in (hierarchica) IKE, A can get secret keys for (i.e. tag K ) as we as for Waters technique cannot seem to be appied! 11
12 Why Juta Roy HIBE? We can avoid such a coision probem! sk I does not contain any tag, though ct contains tag Juta Roy HIBE [JR13] and its variant [RS14] Constant-size IBE (when = 1) IND-ID-CPA security under the SXDH assumption Constant-size owest-eve key unike [Wat09,LW11] It eads to constant-size decryption key Remark There might be other constant-size IBE schemes that can avoid the coision probem 12
13 Basic Idea of Our Construction Specific ( + 1)-eve HIBE ( ( + 1)-eve Juta Roy HIBE ) + (, )-secret sharing: secret B and shares β i (0 i 1) s.t. B = 1 i=0 β i hk ID,0 g B (D 1, D 1, D 2, D 2, D 3 g B, K j, K j 1 ) j=1 i hk ID,ti i (, t 1,, t i ) g β i (g β i, D 1, D 1, D 2, D 2, D 3 g j=0 i 1 βj, K 1, K 1 ) (, t 1,, t 0 ) g β 0 dk ID,t0 (g β 0, D 1, D 1, D 2, D 2, D 3 ) A β i are needed to generate correct decryption key D 1, D 1, D 2, D 2, D 3 Adversary cannot generate decryption key for * at time *! 13
14 Encryption and Decryption Procedure Enc(mpk,, time, M): mpk (z, g 1, g α 1, u 1,j, w j=0 1, h 1, ) Choose s, tag Z p. Compute 1 s C 0 Mz s, C 1 g 1 s, C 2 g 1 α s, C 3 t j u 1,j I tag u 1, w 1 h1, j=0 where t j T j (time) (0 j 1). Output C C 0, C 1, C 2, C 3, tag. Dec dk I,t0, C, time : dk I,t0 (R 0, D 1, D 1, D 2, D 2, D 3 ) M = C 0 e C 3, D 3 e C 1, D 1 tag D1 e C 2, D 2 tag D2. 14
15 Parameter Evauation and Comparison #pp #dk #hk i #C Enc. cost Dec. cost G 6 G (2i + 6) G 4 G + Z p [0,0, + 4,1] [3,0,2,0] G : bit-ength of a group eement in G 1, G 2, or G T Z p : bit-ength of an eement in Z p #pp, #dk, #hk i, #C: sizes of pubic parameter, dec. key, i-th heper key, and ciphertext [,,, ] : [pairing, muti-exp., reguar-exp., fix-based-exp.] HHSI05 ( = 1) WLC+08 (threshod t = 1) Our scheme ( = 1) #pp #dk #hk #C Enc. cost Dec. cost 2 G 3 G G 4 G + r [1,0,2,1] [4,0,2,1] Assumption CBDH (in ROM) 2n+ 5 G 4 G 2 G 4 G [0,1,2,1] [3,0,0,0] DBDH 16 G 6 G 7 G 4 G + Z p [0,0,5,1] [3,0,2,0] SXDH r : randomness that depends on the security parameter n : size of ID space (i.e., I 0,1 n ) 15
16 16 CCA-secure Hierarchica IKE An we-known transformation [CHK04,BCHK06] : ( 1) We cannot appy the transformation to a hierarchica IKE scheme in a generic way since it does not have deegating functionaity: ( 1) However, by modifying the proposed hierarchica IKE scheme, we can reaize CCA-secure scheme based on the transformation: ( 1)
17 17 Concusion We proposed -eve hierarchica IKE scheme: met strong security (IND-KE-CPA security) without ROM secure under the SXDH assumption, which is a simpe, static one achieved constant-size parameters when = 1 We aso showed CCA-secure scheme from Proposed CPA-secure hierarchica IKE scheme; and Any one-time signature
CONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationMinalpher v1. Designers Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, Shoichi Hirose
Minapher v1 Designers Yu Sasaki, Yosuke Todo, Kazumaro Aoki, Yusuke Naito, Takeshi Sugawara, Yumiko Murakami, Mitsuru Matsui, Shoichi Hirose Submitters NTT Secure Patform Laboratories, Mitsubishi Eectric
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationSequential Aggregate Signatures Made Shorter
Sequentia ggregate Signatures Made Shorter Kwangsu Lee Dong Hoon Lee Moti Yung bstract Sequentia aggregate signature (SS) is a specia type of pubic-key signature that aows a signer to add his signature
More informationTightly CCA-Secure Encryption without Pairings. Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS
Tightly CCA-Secure Encryption without Pairings Romain Gay, ENS Dennis Hofheinz, KIT Eike Kiltz, RUB Hoeteck Wee, ENS Security of encryption pk Alice Enc(pk, m) Bob sk Security of encryption pk Alice Enc(pk,
More informationAdaptive partitioning. Dennis Hofheinz (KIT, Karlsruhe)
Adaptive partitioning Dennis Hofheinz (KIT, Karlsruhe) Public-Key Encryption Public-Key Encryption Accepted security notion: chosen-ciphertext security (IND-CCA) Public-Key Encryption Accepted security
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationLower Bounds on the Efficiency of Encryption and Digital Signature Schemes
Lower Bounds on the Efficiency of Encryption and Digita Signature Schemes Rosario Gennaro IBM T.J. Watson Research Center Yorktown Heights, NY rosario@watson.ibm.com Yae Gertner Jonathan Katz Department
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationVerifiable Random Functions from Standard Assumptions
Verifiabe Random Functions from Standard Assumptions Dennis Hofheinz and Tibor Jager October 30, 2015 Abstract The question whether there exist verifiabe random functions with exponentia-sized input space
More informationNew Revocable IBE in Prime-Order Groups: Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters
New Revocable IBE in Prime-Order Groups: Adaptively Secure, Decryption Key Exposure Resistant, and with Short Public Parameters Yohei Watanabe,,, Keita Emura 3, and Jae Hong Seo 4 The University of Electro-Communications,
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationEfficient Algorithms for Pairing-Based Cryptosystems
CS548 Advanced Information Security Efficient Agorithms for Pairing-Based Cryptosystems Pauo S. L. M. Barreto, HaeY. Kim, Ben Lynn, and Michae Scott Proceedings of Crypto, 2002 2010. 04. 22. Kanghoon Lee,
More informationForward Secure Ring Signature without Random Oracles
Forward Secure Ring Signature without Random Oraces Joseph K. Liu 1, Tsz Hon Yuen 2, and Jianying Zhou 1 1 Institute for Infocomm Research, Singapore {ksiu,jyzhou}@i2r.a-star.edu.sg 2 University of Hong
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationSecurity Notions for Identity Based Encryption
Security Notions for Identity Based Encryption David Gaindo and Ichiro Hasuo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010, 6500 GL Nijmegen, The Netherands
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPractical Signatures with Efficient Protocols from Simple Assumptions
Practica Signatures with Efficient Protocos from Simpe Assumptions Benoît Libert, Fabrice Mouhartem, Thomas Peters, Moti Yung To cite this version: Benoît Libert, Fabrice Mouhartem, Thomas Peters, Moti
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationApproximation and Fast Calculation of Non-local Boundary Conditions for the Time-dependent Schrödinger Equation
Approximation and Fast Cacuation of Non-oca Boundary Conditions for the Time-dependent Schrödinger Equation Anton Arnod, Matthias Ehrhardt 2, and Ivan Sofronov 3 Universität Münster, Institut für Numerische
More informationEfficiently Generating Random Bits from Finite State Markov Chains
1 Efficienty Generating Random Bits from Finite State Markov Chains Hongchao Zhou and Jehoshua Bruck, Feow, IEEE Abstract The probem of random number generation from an uncorreated random source (of unknown
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationUniprocessor Feasibility of Sporadic Tasks with Constrained Deadlines is Strongly conp-complete
Uniprocessor Feasibiity of Sporadic Tasks with Constrained Deadines is Strongy conp-compete Pontus Ekberg and Wang Yi Uppsaa University, Sweden Emai: {pontus.ekberg yi}@it.uu.se Abstract Deciding the feasibiity
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University February 5 2018 Review Relation between PRF and PRG Construct PRF from
More informationMoreau-Yosida Regularization for Grouped Tree Structure Learning
Moreau-Yosida Reguarization for Grouped Tree Structure Learning Jun Liu Computer Science and Engineering Arizona State University J.Liu@asu.edu Jieping Ye Computer Science and Engineering Arizona State
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationOutsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts elly Fazio 1,2 and Irippuge Milinda Perera 2 1 The City College of CUY fazio@cs.ccny.cuny.edu 2 The Graduate Center of CUY {nfazio,iperera}@gc.cuny.edu
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Alexandra (Sasha) Boldyreva Symmetric encryption, encryption modes, security notions. 1 Symmetric encryption schemes A scheme is specified by a key generation algorithm K,
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationCommitted MPC. Maliciously Secure Multiparty Computation from Homomorphic Commitments. 1 Introduction
Committed MPC Maiciousy Secure Mutiparty Computation from Homomorphic Commitments Tore K. Frederiksen 1, Benny Pinkas 2, and Avishay Yanai 2 1 Security Lab, Aexandra Institute, Denmark 2 Department of
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationOn the Selective-Opening Security of DHIES
On the Selective-Opening Security of DHIES and other practical encryption schemes UbiCrypt Research Retreat, Schloss Raesfeld: 29.& 30. Sep. 2014 Felix Heuer, Tibor Jager, Eike Kiltz, Sven Schäge Horst
More informationSecure Function Collection with Sublinear Storage
Secure Function Coection with Subinear Storage Maged H. Ibrahim 1, Aggeos Kiayias 2, Moti Yung 3, and Hong-Sheng Zhou 2 1 Facuty of Engineering, Hewan University, Cairo, Egypt. 2 University of Connecticut,
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationContinuous Non-Malleable Key Derivation and Its Application to Related-Key Security
Continuous Non-Malleable Key Derivation and Its Application to Related-Key Security Baodong Qin 1,2, Shengli Liu 1,, Tsz Hon Yuen 3, Robert H. Deng 4, and Kefei Chen 5 1. Department of Computer Science
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationOn (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique)
On (Hierarchical) Identity Based Encryption Protocols with Short Public Parameters (With an Exposition of Waters Artificial Abort Technique) Sanjit Chatterjee and Palash Sarkar Applied Statistics Unit
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationConstrained Pseudorandom Functions: Verifiable and Delegatable
Constrained Pseudorandom Functions: Verifiabe and Deegatabe Nishanth Chandran Srinivasan Raghuraman Dhinakaran Vinayagamurthy Abstract Constrained pseudorandom functions introduced independenty by Boneh
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationFunction-Hiding Inner Product Encryption is Practical
Function-Hiding Inner Product Encryption is Practica Sam Kim 1, Kevin Lewi 2, Avradip Manda 3, Hart Montgomery 3, Arna Roy 3, and David J. Wu 1 1 Stanford University 2 Faceook 3 Fujitsu Laoratories of
More informationChapter 11. Asymmetric Encryption Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationA Solution to the 4-bit Parity Problem with a Single Quaternary Neuron
Neura Information Processing - Letters and Reviews Vo. 5, No. 2, November 2004 LETTER A Soution to the 4-bit Parity Probem with a Singe Quaternary Neuron Tohru Nitta Nationa Institute of Advanced Industria
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationInvestigation on spectrum of the adjacency matrix and Laplacian matrix of graph G l
Investigation on spectrum of the adjacency matrix and Lapacian matrix of graph G SHUHUA YIN Computer Science and Information Technoogy Coege Zhejiang Wani University Ningbo 3500 PEOPLE S REPUBLIC OF CHINA
More informationPrivacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions
Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions Keita Emura National Institute of Information and Communications Technology (NICT), Japan. k-emura@nict.go.jp
More informationMultilayer Kerceptron
Mutiayer Kerceptron Zotán Szabó, András Lőrincz Department of Information Systems, Facuty of Informatics Eötvös Loránd University Pázmány Péter sétány 1/C H-1117, Budapest, Hungary e-mai: szzoi@csetehu,
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationA New Paradigm of Hybrid Encryption Scheme
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa 1 and Yvo Desmedt 2 1 Ibaraki University, Japan kurosawa@cis.ibaraki.ac.jp 2 Dept. of Computer Science, University College London, UK, and Florida
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information