Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
|
|
- Walter Ellis
- 5 years ago
- Views:
Transcription
1 Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, 2014, Copenhagen
2 Our Results in One Slide Instantiations:! Framework for fully-secure FE (with tighter reduction) The first fully secure FE for regular languages ABE with short ciphertext unbounded ABE and more
3 Our Results in One Slide Instantiations:! Framework for fully-secure FE (with tighter reduction) The first fully secure FE for regular languages ABE with short ciphertext unbounded ABE focus in this talk and more
4 1 Introduction
5 Functional Encryption Syntax FE for predicate R:A B {0,1} or family {R k } k Setup(k,1 λ ) Encrypt(Y,M,PK) KeyGen(X,MSK,PK) Decrypt(CT,SK) PK, MSK CT SK M if R(X,Y)=1 for ciphertext attribute Y for key attribute X FE here means the class Public-index Predicate Encryption of FE [BSW11].
6 Definition of Full Security for FE Adversary X Y,M 0,M 1 X guess b q 1 times once q 2 times PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X) Challenger Non-triviality condition: R(X,Y)=0
7 Definition of Selective Security for FE Adversary Y X M 0,M 1 X guess b q 1 times once q 2 times PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X) Challenger Non-triviality condition: R(X,Y)=0
8 Approaches for Full Security for key for challenge Partitioning IBE [BB04b, Waters05] Seem not to work with richer FE ID space normal semifunctional Dual-System Encryption [Waters09] Work also with richer FE: ABE [LOSTW10,OT10,LW12,] Inner-product enc [OT12,] Spatial encryption [AL10,]
9 Dual System Also Offers Simplicity. An original FE scheme Selectively-secure Similar scheme but in composite-order bilinear group A candidate for fully-secure scheme
10 Boneh-Boyen IBE (selectively secure) Lewko-Waters IBE (fully secure) CT=(g s, g s(h 1+h 2 ID), e(g,g) αs M) CT=(g 1 s, g 1 s(h 1 +h 2 ID), e(g 1,g 1 ) αs M) SK=(g α+r(h 1+h 2 ID ), g r ) SK=(g 1 α+r(h 1 +h 2 ID ) g 3 w 1, g1 r g 3 w 2)
11 Boneh-Boyen IBE (selectively secure) Lewko-Waters IBE (fully secure) CT=(g s, g s(h 1+h 2 ID), e(g,g) αs M) CT=(g 1 s, g 1 s(h 1 +h 2 ID), e(g 1,g 1 ) αs M) SK=(g α+r(h 1+h 2 ID ), g r ) SK=(g 1 α+r(h 1 +h 2 ID ) g 3 w 1, g1 r g 3 w 2) Abstract Selective Secure FE Abstract Fully Secure FE? CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) ᐧg 3 w Apply to any scheme?
12 Successful Applications Selective Full IBE BB04 LW10 ABE Spatial Encryption GPSW06 BH08 LOSTW10 AL10 Unsuccessful Applications FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Selective Waters12 ALP11 RW13 Full??? } Open problem!
13 We ask: Why did traditional dual systems fail for some schemes? How to overcome that barrier?
14 To systematically answer, we provide a generic framework.
15 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Computationally secure encoding Doubly selective security
16 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Fully secure FE Computationally secure encoding Doubly selective security Fully secure FE + tighter reduction
17 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Perfectly secure pair encoding Fully secure FE Generalize traditional dual-systems, which implicitly use info-theoretic argument.
18 Our Framework Result New primitive: Pair Encoding Generic FE Scheme Generalize Lewko-Waters12 ABE + New techniques for tighter reduction. Computationally secure encoding Fully secure FE + tighter reduction
19 A Glance at Pair Encoding Recall the abstract scheme CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) SK=g 1 k(α,r,h) ᐧg 3 w Pair encoding consists of c( ) and k( ).
20 Our Answer to Instantiations Selective Fully-secure FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Waters12 ALP11 RW13
21 Our Answer to Instantiations Selective Fully-secure FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Waters12 ALP11 RW13 Why traditional dual systems failed: (Implicit) encodings were not perfect.
22 Our Answer to Instantiations FE for regular languages ABE w/ short ciphertexts Fully-unbounded ABE Selective Waters12 ALP11 RW13 Fully-secure New! New! New! Why traditional dual systems failed: (Implicit) encodings were not perfect. How to overcome: Use computationally secure encodings
23 A Glance at Tighter Reduction All prior dual-system proofs (except [Chen-Wee Crypto13]) Game 1 1 key/1 game Game q all Reduction=O(q all ), q all= q 1 +q 2
24 A Glance at Tighter Reduction All prior dual-system proofs (except [Chen-Wee Crypto13]) Game 1 Our new approach 1 q 1 one big jump! 1 key/1 game q 2 keys in 1 game Game q all Reduction=O(q all ), q all= q 1 +q 2 q all Reduction=O(q 1 )
25 Related work on Dual-System Framework [Chen-Wee Crypto13]: Dual-system groups Unify prime- and composite-order groups but only to specific predicates (HIBE). Ours unifies for any predicate (but specific to composite-order). [Wee TCC14]: Predicate Encoding Independently abstracting perfectly secure encoding.
26 2 Framework
27 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Enc1(X) Enc2(Y) k(α,r,h) c(s,h) where r=(r 1,,r m ) where s=(s,s 1,,s w )
28 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) k(α,r,h) c(s,h) where r=(r 1,,r m ) where s=(s,s 1,,s w )
29 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) Pair(X,Y) k(α,r,h) c(s,h) E where r=(r 1,,r m ) where s=(s,s 1,,s w ) Correctness : If R(X,Y)=1, k(α,r,h) E c(s,h) T =αs
30 Pair Encoding: Definition Pair Encoding for predicate R={R k } k Param(k) h where h=(h 1,,h m ) Enc1(X) Enc2(Y) Pair(X,Y) k(α,r,h) c(s,h) E where r=(r 1,,r m ) where s=(s,s 1,,s w ) Correctness : If R(X,Y)=1, k(α,r,h) E c(s,h) T =αs Security: If R(X,Y)=0, to be defined.
31 Additional Requirements Parameter-vanishing k(α,0,h) = k(α,0,0) Linearity for k Linearity for c k(α 1,r 1,h)+k(α 2,r 2,h) = k(α 1 +α 2,r 1 +r 2,0) c(s 1 +s 2,h) = c(s 1,h)+c(s 2,h) Linearity implies homogeneity: k(0,0,0)=0, c(0,0)=0
32 Pair Encoding: Example for IBE Param 2 That is, h=(h 1,h 2 ) Enc1(ID) k(α,r,h) = ( α+r(h 1 +h 2 ID), r) Enc2(ID ) Pair(ID,ID ) c(s,h) E = ( s, s(h 1 +h 2 ID ) ) = Correctness If ID=ID (α+r(h 1 +h 2 ID), r) s s(h 1 +h 2 ID ) = αs
33 Composite-order Bilinear Groups G, G T of order N=p 1 p 2 p 3 with bilinear map e: G G G T have prime-order subgroups G 1, G 2, G 3 Orthogonality: e(g i, g j )=1 iff i j Subgroup Decision: Decide if T G 1 or T G 12
34 Constructing FE from Pair Encoding FE for predicate R from Pair encoding for R Setup PK=(g 1, g 1 h, e(g 1,g 1 ) α, g 3 ), MSK=α Encrypt(Y,M,PK) CT=(g 1 c(s,h), e(g 1,g 1 ) αs M) Enc2(Y)=c(s,h) KeyGen(X,MSK) SK=g 1 k(α,r,h). R 3 Enc1(X)=k(α,r,h) Decrypt(CT,SK) e(g 1 k(α,r,h)e, g 1 c(s,h) ᐧR 3 ) = e(g 1,g 1 ) αs k(α,r,h) E c(s,h) T =αs
35 Security Proof of Our Framework
36 Semi-functional Ciphertexts/Keys Can Be Defined in Terms of Pair Encoding Scheme g 1 c(s,h) ᐧg 2 c(0,0)=0 g c(s,h) ᐧg c( s,h) 1 2 e(g 1,g 1 ) αs unmodified g 1 k(α,r,h) ᐧg 2 k(0,0,0)=0 g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α, r,h) g 1 k(α,r,h) ᐧg 2 k(α,0,0) Each randomness except semi-param h is fresh for each.
37 Semi-functional Ciphertexts/Keys Can Be Defined in Terms of Pair Encoding Scheme C g 1 c(s,h) ᐧg 2 c(0,0)=0 K g 1 k(α,r,h) ᐧg 2 k(0,0,0)=0 C g c(s,h) ᐧg c( s,h) 1 2 K1 g k(α,r,h) ᐧg k(0, r,h) 1 2 e(g 1,g 1 ) αs unmodified K2 K3 g 1 k(α,r,h) ᐧg 2 k(α, r,h) g 1 k(α,r,h) ᐧg 2 k(α,0,0) Each randomness except semi-param h is fresh for each.
38 Recall Definition for Full Security X Y,M 0,M 1 X guess b PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X)
39 Recall Definition for Full Security K K K }q1 K C K K K K q 2 } Notation in timeline X Y,M 0,M 1 X guess b PK SK CT SK KeyGen(X) Enc(Y,M b ) KeyGen(X)
40 Aim of the Proof Real game: all normal K K K K C K K K K Final game: all semi-functional K3 K3 K3 K3 C K3 K3 K3 K3
41 Final Game Adversary will have no advantage. Intuition: decryption contains random e(g 2,g 2 ) αs C g c(s,h) ᐧg c( s,h) 1 2 K3 g 1 k(α,r,h) ᐧg 2 k(α,0,0) K3 K3 K3 K3 C K3 K3 K3 K3
42 Game Sequence in the Proof K K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3
43 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3
44 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3
45 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3
46 Game Sequence in the Proof K K K K C K K K K K K K K C K K K K K3 K K K C K K K K K3 K3 K K C K K K K K3 K3 K3 K3 C K3 K3 K3 K3
47 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision
48 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision Intuition: These two do not depend on encoding. Use linearity, param-vanishing of k and orthogonality of G.
49 Game Subsequence Indistinguishability based on K Subgroup Decision K1 Security of encoding K2 K3 Subgroup Decision
50 The 2nd Transition K1 K2 g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 Security of encoding (to be defined)
51 The 2nd Transition K1 K2 g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 Security of encoding (to be defined) Idea: just define security of encoding to be exactly the indistinguishability of these two games!
52 The 2nd Transition In More Details K3 K3 K1 K K C K K K3 K3 K2 K K C K K g k(α,0,0) 2 { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2 Only these are correlated via semi-param h. Isolating all other keys.
53 Defining Security of Encoding Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2
54 Defining Security of Encoding Perfectly secure encoding Identical (info-theoretic) { k(0, r, h) k(α, r, h) c( s,h) Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) g c( s,h) 2
55 Defining Security of Encoding Perfectly secure encoding Identical (info-theoretic) { k(0, r, h) k(α, r, h) c( s,h) Computationally secure encoding Cannot distinguish { g 2 k(0, r,h) g 2 k(α, r,h) 1st flavor: k before c g c( s,h) 2 2nd flavor: c before k
56 Computationally Security 1: k before c once X For R(X,Y)=0 once Y guess b pick h, b { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1 g c( s,h) 2
57 Computationally Security 1: k before c For Transitions of Pre-challenge Keys K3 K3 K1 K K C K K K3 K3 K2 K K C K K once X For R(X,Y)=0 once Y guess b pick h, b { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1 g c( s,h) 2
58 Computationally Security 2: c before k Y For R(X,Y)=0 X guess b once once pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1
59 Computationally Security 2: c before k For Transitions of Post-challenge Keys K3 K3 C K3 K3 K1 K K K3 K3 C K3 K3 K2 K K Y For R(X,Y)=0 X guess b once once pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1
60 Tighter Security Proof K K C K K K3 K3 K K C K3 K3 K3 K3 }O(q 1 ) }O(q 2 ) New! O(1)
61 Refining Computationally Security 2 For Transitions of Post-challenge Keys K3 K3 C K1 K1 K3 K3 C K2 K2 For R(X,Y)=0 Y X guess b once q 2 times pick h, b g c( s,h) 2 { g 2 k(0, r,h) g 2 k(α, r,h) if b=0 if b=1
62 Doubly Selective Security Y program h X The 2nd notion is called Selective Master-key Hiding since the order of queries mimics selective security of FE but in semi-functional space. X program h Y The 1st notion is called Co-Selective Master-key Hiding since the order of queries mimics co-selective security of FE but in semi-functional space.
63 Doubly Selective Security Y program h X The 2nd notion is called Selective Master-key Hiding since the order of queries Can borrow proof techniques mimics selective security of FE for selective security of FE but in semi-functional space. X program h Y The 1st notion is called Co-Selective Master-key Hiding since the order of queries Can borrow proof techniques mimics co-selective security of for co-selective security of FE FE but in semi-functional space. or selective security of its dual!
64 3 Instantiations
65 Fully Secure IBE Lewko-Waters IBE k=(α+r(h 1 +h 2 ID), r) c=(s, s(h 1 +h 2 ID )) h=(h 1,h 2 ) Our new IBE h=(h 1,h 2,h 3 ) k=(α+r 1 (h 1 +h 2 ID)+r 2 h 3, r 1, r 2 ) c=(s, s(h 1 +h 2 ID ), sh 3 ) Encoding is perfect. f(x)=h 1 +h 2 x is pair-wise independent Full security of IBE: O(q all ) to Subgroup Decision Encoding is perfect. Encoding is also selective under 3-party DH. Full security of IBE: O(q 1 ) to Subgroup Decision plus O(1) to 3-party DH
66 Fully Secure IBE Public key Ciphertext, key Reduction Assumption Waters 05 O(n) O(1) O(nq all ) DBDH Gentry 06 O(1) O(1) O(1) q all -ABDHE Waters 09 O(1) O(1) O(q all ) DBDH,DLIN Lewko-Waters 10 O(1) O(1) O(q all ) subgroup Chen-Wee 13 O(n) O(1) O(n) DLIN Our IBE O(1) O(1) n = ID length O(q 1 ) 3DH, subgroup
67 FE for Regular Languages Security Reduction Assumption Waters 12 selective O(1) Q-type Our FE for regular languages full O(q 1 ) Q-type, subgroup
68 FE for Regular Languages Selective security of our encoding Borrow techniques from selective security of Waters. Hence, use a similar Q-type assumption to Waters. Q is ciphertext attribute size of one query. Q is not the number of queries (q 1,q 2 ).! Co-selective security of our encoding New techniques, new Q-type assumption.
69 KP-ABE with Short Ciphertext Ciphertext size Key size Security Reduction Assumption A.-Libert- Panafieu 11 O(1) O(tk) selective O(1) Q-type Takashima 14 O(1) O(tk) selective O(q all ) DLIN Our ABE w/ short ciphertext O(1) O(tk) full O(q 1 ) Q-type, subgroup t = max attribute set in ciphertext, k= policy size for key
70 Unbounded KP-ABE Lewko-Waters 11 Lewko-Waters 12 Okamoto- Takashima 12b Rouselakis- Waters 13 Our unbounded ABE Large universe? Unbounded attribute repetition? Security Reduction Assumption yes yes selective O(q all ) subgroup no yes full Q-type, subgroup yes no full O(q all ) DLIN yes yes selective O(1) Q-type yes yes full O(q all ) O(q 1 ) Q-type, subgroup
71 More Results Generic dual scheme conversion for perfectly-secure encoding. Convert key-policy to ciphertext-policy (& vice versa) Fully-secure dual (ciphertext-policy) FE for regular languages. Unification of schemes based on dual systems and some improvements.
72 Take-Home Ideas Our framework can be considered as a method for boosting doubly selectively security (of encoding) to fully security (of FE). Why does it matters? Proving double selective security of encoding can use techniques from proving classical selective security.
73 Thank you
74 Recall the Definitions of Semi-Keys K K1 K2 K3 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g k(α,r,h) ᐧg k(α, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Security of encoding Subgroup Decision
75 Proof for the 1st Transition K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 Subgroup Decision Subgroup Decision problem: Decide if T G 1 or T G 12
76 Proof for the 1st Transition Simulated by K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(0,r,h ) T g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(0,r,h ) Subgroup Decision problem: Decide if T G 1 or T G 12
77 Proof for the 1st Transition Simulated by K K1 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg k(0, r,h) 1 2 g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(0,r,h ) T g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(0,r,h ) Subgroup Decision problem: Decide if T G 1 or T G 12 Simulation is OK due to linearity, param-vanishing of k and parameter-hiding of G: h=h mod p 1 and h=h mod p 2 are independent.
78 Proof for the 3rd Transition is similar Simulated by K2 K3 g k(α,r,h) ᐧg k(α, r,h) 1 2 g 1 k(α,r,h) ᐧg 2 k(α,0,0) g 1 k(α,r,h ) ᐧ(g 1 t 1g2 t 2) k(α,r,h ) T g 1 k(α,r,h ) ᐧ( g 1 t 1 ) k(α,r,h )
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Abstract Dual
More informationDuality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung AIST, Japan n.attrapadung@aist.go.jp Shota Yamada AIST, Japan
More informationContribution to functional encryption through encodings
University of Wollongong Research Online University of Wollongong Thesis Collection 1954-2016 University of Wollongong Thesis Collections 2016 Contribution to functional encryption through encodings Jongkil
More informationInstantiating the Dual System Encryption Methodology in Bilinear Groups
Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters Motivation classical public key cryptography: Alice Bob Eve Motivation functional encryption:
More informationFunctional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings
Functional Encryption for Computational Hiding in Prime Order Groups via Pair Encodings Jongkil Kim, Willy Susilo, Fuchun Guo, and Man Ho Au 2 Centre for Computer and Information Security Research School
More informationDéjà Q All Over Again
Royal Holloway, February 2017 1/43 Bilinear Groups and Assumptions Reductions Symmetric Schemes Conclusions Déjà Q All Over Again Melissa Chase 1 Mary Maller 2 1 MSR Redmond Sarah Meiklejohn 2 2 University
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationA Study of Pair Encodings: Predicate Encryption in Prime Order Groups
A Study of Pair Encodings: Predicate Encryption in Prime Order Groups Shashank Agrawal 1 and Melissa Chase 2 1 University of Illinois Urbana-Champaign sagrawl2@illinois.edu 2 Microsoft Research melissac@microsoft.com
More informationExpressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts
Expressive Key-Policy Attribute-Based Encryption with Constant-Size Ciphertexts Nuttapong Attrapadung 1, Benoît Libert 2, and Elie de Panafieu 3 1 esearch Center for Information Security, AIST Japan) n.attrapadung@aist.go.jp
More informationUnbounded HIBE and Attribute-Based Encryption
Unbounded HIBE and ttribute-based Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work, we present
More informationDual System Framework in Multilinear Settings and Applications to Fully Secure (Compact) ABE for Unbounded-Size Circuits
Dual System Framework in Multilinear Settings and pplications to Fully Secure Compact BE for Unbounded-Size Circuits Nuttapong ttrapadung National Institute of dvanced Industrial Science and Technology
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationA Study of Pair Encodings: Predicate Encryption in Prime Order Groups
A Study of Pair Encodings: Predicate Encryption in Prime Order Groups Shashank Agrawal Melissa Chase Abstract Pair encodings and predicate encodings, recently introduced by Attrapadung (Eurocrypt 2014)
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko 1, Tatsuaki Okamoto 2, mit Sahai 3, Katsuyuki Takashima 4, and Brent Waters 5 1 University
More informationTools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting
Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting Allison Lewko The University of Texas at Austin alewko@csutexasedu Abstract In this paper, we explore a general
More informationFully Secure (Doubly-)Spatial Encryption under Simpler Assumptions
Fully Secure (Doubly-)Spatial Encryption under Simpler Assumptions Cheng Chen, Zhenfeng Zhang, and Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences,
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationFully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption
Fully Secure Functional Encryption: ttribute-based Encryption and (Hierarchical) Inner Product Encryption llison Lewko University of Texas at ustin alewko@cs.utexas.edu mit Sahai UCL sahai@cs.ucla.edu
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationGeneric Constructions for Chosen-Ciphertext Secure Attribute Based Encryption
Generic Constructions for Chosen-Ciphertext Secure Attribute Based Encryption Shota Yamada 1, Nuttapong Attrapadung 2, Goichiro Hanaoka 2 and Noboru Kunihiro 1 1 The University of Tokyo. {yamada@it., kunihiro@}
More informationGeneric Transformations of Predicate Encodings: Constructions and Applications
Generic Transformations of Predicate Encodings: Constructions and Applications Miguel Ambrona,2, Gilles Barthe, and Benedikt Schmidt 3 IMDEA Software Institute, Madrid, Spain {miguel.ambrona,gilles.barthe}@imdea.org
More informationHierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationProperty Preserving Symmetric Encryption
Property Preserving Symmetric Encryption Omkant Pandey Microsoft, Redmond Yannis Rouselakis University of Texas at Austin Traditional Cryptography Alice Bob Eve New Goal: Computations on Encrypted Data
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationShorter Identity-Based Encryption via Asymmetric Pairings
Shorter Identity-Based Encryption via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationFunction-Hiding Inner Product Encryption
Function-Hiding Inner Product Encryption Allison Bishop Columbia University allison@cs.columbia.edu Abhishek Jain Johns Hopkins University abhishek@cs.jhu.edu Lucas Kowalczyk Columbia University luke@cs.columbia.edu
More informationNew Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques
New Proof Methods for Attribute-Based Encryption: Achieving Full Security through Selective Techniques Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationPROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED
PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED SANJIT CHATTERJEE AND M. PREM LAXMAN DAS Abstract. At Eurocrypt 12, Pandey and Rouselakis [PR12a] proposed the notion of property preserving symmetric
More informationCiphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization
Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization Brent Waters University of Texas at Austin bwaters@csutexasedu Abstract We present a new methodology
More informationDelegation in Predicate Encryption Supporting Disjunctive Queries
Author manuscript, published in "Security and Privacy - Silver Linings in the Cloud Springer Ed. 2012 229-240" DOI : 10.1007/978-3-642-15257-3_21 Delegation in Predicate Encryption Supporting Disjunctive
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationDéjà Q: Encore! Un Petit IBE
Déjà Q: Encore! Un Petit IBE Hoeteck Wee ENS, Paris, France Abstract. We present an identity-based encryption (IBE) scheme in composite-order bilinear groups with essentially optimal parameters: the ciphertext
More informationShorter IBE and Signatures via Asymmetric Pairings
Shorter IBE and Signatures via symmetric Pairings Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee 2, Division of Mathematical Sciences School of Physical & Mathematical Sciences Nanyang
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationAttribute-Based Encryption Schemes with Constant-Size Ciphertexts
Attribute-Based Encryption Schemes with Constant-Size Ciphertexts Nuttapong Attrapadung 1, Javier Herranz 2, Fabien Laguillaume 3, Benoît Libert 4, Elie de Panafieu 5, and Carla Ràfols 2 1 Research Center
More informationFully Secure Unbounded Inner-Product and Attribute-Based Encryption
Fully Secure nbounded Inner-Product and Attribute-Based Encryption Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT okamoto.tatsuaki@lab.ntt.co.jp 2 Mitsubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp
More informationSecurity Analysis of an Identity-Based Strongly Unforgeable Signature Scheme
Security Analysis of an Identity-Based Strongly Unforgeable Signature Scheme Kwangsu Lee Dong Hoon Lee Abstract Identity-based signature (IBS) is a specific type of public-key signature (PKS) where any
More informationAttribute-Based Encryption with Fast Decryption
Attribute-Based Encryption with Fast Decryption Susan Hohenberger and Brent Waters May 8, 2013 Abstract Attribute-based encryption (ABE) is a vision of public key encryption that allows users to encrypt
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationFunctional Encryption for Inner Product Predicates from Learning with Errors
Functional Encryption for Inner Product Predicates from Learning with Errors Shweta Agrawal University of California, Los Angeles shweta@cs.ucla.edu Vinod Vaikuntanathan University of Toronto vinodv@cs.toronto.edu
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationCiphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations
Ciphertext-Policy Hierarchical Attribute-Based Encryption with Short Ciphertexts: Efficiently Sharing Data among Large Organizations Hua Deng a, Qianhong Wu* b, Bo Qin c, Josep Domingo-Ferrer d, Lei Zhang
More informationUnbounded Inner Product Functional Encryption from Bilinear Maps
nbounded Inner Product Functional Encryption from Bilinear Maps Junichi Tomida and Katsuyuki Takashima 2 NTT tomida.junichi@lab.ntt.co.jp 2 Mitubishi Electric Takashima.Katsuyuki@aj.MitsubishiElectric.co.jp
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationGeneric Conversions from CPA to CCA secure Functional Encryption
Generic Conversions from CPA to CCA secure Functional Encryption Mridul Nandi and Tapas Pandit Indian Statistical Institute, Kolkata mridul@isical.ac.in and tapasgmmath@gmail.com Abstract. In 2004, Canetti-Halevi-Katz
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationDefinitional Issues in Functional Encryption
Definitional Issues in Functional Encryption Adam O Neill Abstract We provide a formalization of the emergent notion of functional encryption, as well as introduce various security notions for it, and
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationNotes for Lecture 27
U.C. Berkeley CS276: Cryptography Handout N27 Luca Trevisan April 30, 2009 Notes for Lecture 27 Scribed by Madhur Tulsiani, posted May 16, 2009 Summary In this lecture we begin the construction and analysis
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption S. Dov Gordon Jonathan Katz Feng-Hao Liu Elaine Shi Hong-Sheng Zhou Abstract Functional encryption (FE) is a powerful primitive enabling fine-grained access to encrypted
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More informationSimple SK-ID-KEM 1. 1 Introduction
1 Simple SK-ID-KEM 1 Zhaohui Cheng School of Computing Science, Middlesex University The Burroughs, Hendon, London, NW4 4BT, United Kingdom. m.z.cheng@mdx.ac.uk Abstract. In 2001, Boneh and Franklin presented
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationAdaptively Secure Functional Encryption for Finite Languages from DLIN Assumption
daptively Secure Functional Encryption for Finite Languages from DLIN ssumption apas Pandit Stat-Math nit Indian Statistical Institute, Kolkata tapasgmmath@gmail.com Rana Barua Stat-Math nit Indian Statistical
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationFunctional Encryption for Regular Languages
Functional Encryption for Regular Languages Brent Waters 1 The University of Texas at Austin bwaters@cs.utexas.edu Abstract. We provide a functional encryption system that supports functionality for regular
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationarxiv: v1 [cs.cr] 24 Feb 2017
Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationLightweight Symmetric-Key Hidden Vector Encryption without Pairings
Lightweight Symmetric-Key Hidden Vector Encryption without Pairings Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology Kharagpur sikhar.patranabis@iitkgp.ac.in,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationDéjà Q: Using Dual Systems to Revisit q-type Assumptions
Déjà Q: Using Dual Systems to Revisit q-type Assumptions Melissa Chase Microsoft Research Redmond melissac@microsoft.com Sarah Meiklejohn UC San Diego smeiklej@cs.ucsd.edu Abstract After more than a decade
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More information