Searchable encryption & Anonymous encryption
|
|
- Aleesha Harrington
- 5 years ago
- Views:
Transcription
1 Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
2 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
3 Motivation Suppose Bob sends an encrypted to Alice Alice s gateway may want to test if the contains the word urgent, so that it could route the accordingly Still, Alice does not want the gateway to be able to decrypt her messages Public-key encryption with keyword search (PEKS): Enable gateway to test whether a given keyword is present in the without learning anything else about the Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
4 PEKS: Basic idea Bob encrypts his using a standard public-key encryption scheme (PKE) He then appends the public-key encryption with keyword search (PEKS) of each keyword Enc(pk Alice, m) PEKS(pk Alice, w 1 )... PEKS(pk Alice, w l ) Main property: Alice can give the gateway a trapdoor t w that allows it to test whether w i = w for i = 1,..., l Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
5 PEKS: Public-key encryption with keyword search [BDOP04] PEKS: Public-key encryption with keyword search [BDOP04] Goal: Allow gateway to test for the presence of keywords in ciphertexts. Goal: Allow gateway to test for the presence of keywords in ciphertexts Sender w pk PEKS Key Generation Gateway sk Trapdoor w eceiver C Test T w YES (1) / NO (0) 89 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
6 Public-key encryption with keyword search (PEKS) A PEKS scheme is defined by four algorithms: KeyGen(1 k ): Outputs a secret and public key pair (pk, sk) for the PEKS scheme. Td(sk, w): Uses the secret key sk to compute a trapdoor t w for keyword w. PEKS(pk, w): Generates a ciphertext C for keyword w using public key pk. Test(t w, C): Allows the gateway in possession of t w to test for the presence of w in C. It returns 1 if C is an encryption of w and 0 otherwise. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
7 PEKS security goals There are two main security notions associated with PEKS schemes. Keyword privacy The adversary should be unable to distinguish PEKS(pk, w0 ) from PEKS(pk, w1 ) for keywords w 0, w 1 of its choice. The trapdoor for a keyword w should only allow the gateway to learn whether a given ciphertext contains w. Consistency This condition states that Test(t w, C) should return 1 if w = w and 0 if w w. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
8 IND-PEKS-CPA: Indistinguishability under chosen-plaintext attacks Let PEKS = (KeyGen, PEKS, Td, Test) be a PEKS scheme. Let A be an adversary against the IND-PEKS-CPA security of PEKS. proc Initialize(k) (pk, sk) KeyGen(1 k ) β {0, 1} eturn pk proc Td(w) t w Td(sk, w) eturn t w Game Exp ind-cpa PEKS,A (k) proc L(w 0, w 1 ) C PEKS(pk, w β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-PEKS-CPA security of PEKS is defined as [ ] Adv ind-cpa PEKS,A (k) = 2 Pr Exp ind-cpa PEKS,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
9 CONSIST: Consistency under chosen-plaintext attacks Let PEKS = (KeyGen, PEKS, Td, Test) be a PEKS scheme. Let A be an adversary against the CONSIST security of PEKS. proc Initialize(k) (pk, sk) KeyGen(1 k ) eturn pk Game Exp peks-consist PEKS,A (k) proc Finalize(w, w ) C PEKS(pk, w) t Td(sk, w ) eturn (w w ) (Test(t, C)) The the advantage of an adversary A against the consistency of PEKS is defined as [ ] Adv peks-consist PEKS,A (k) = Pr Exp peks-consist PEKS,A (k) = true Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
10 BDOP-PEKS scheme: Intuition Use Boneh-Franklin BasicIdent IBE scheme as a starting point and fix a message m. Keywords in BDOP-PEKS are mapped to identities in BasicIdent. Trapdoor in BDOP-PEKS simply corresponds to a decryption key in BasicIdent. To encrypt a keyword w in BDOP-PEKS, one encrypts m for identity w in BasicIdent. To test whether a ciphertext C encrypts a keyword w, one decrypts C using the secret key for w and test whether the result equals m. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
11 Boneh-Franklin BasicIdent IBE scheme Let G be a pairing parameter generator. Let H : {0, 1} G be a random oracle. Setup(1 k ): (G, G T, p, ê) G(1 k ) g G ; s Z p ; S g s msk s mpk ((G, G T, p, ê), S, H) return (mpk, msk) Enc(mpk, id, m): r Z p ; C 1 g r Q id H(id) ; K (ê(s, Q id )) r C 2 m K return (C 1, C 2 ) KeyDer(msk, id): Q id H(id) sk Q s id return (sk) Dec(sk, C): parse C as (C 1, C 2 ) K ê(c 1, usk) m C 2 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
12 BDOP-PEKS scheme: Description KeyGen(1 k ): (G, G T, p, ê) G(1 k ) g G s Z p pk (G, G T, p, ê, g, g s ) sk (pk, s) eturn (pk, sk) PEKS(pk, w): parse pk as (G, G T, p, ê, g, g s ) r Z pt ê(h(w), g s ) r C (g r, T ) eturn C Td(sk, w): parse sk as ((G, G T, p, ê, g, g s ), s) t w (pk, H(w) s ) eturn t w Test(t w, C): parse t w as ((G, G T, p, ê, g, g s ), X ) parse C as (U, V )T ê(x, U) if V = T then eturn 1 else eturn 0 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
13 BDDH keyword privacy of BDOP-PEKS Theorem Let BDOP-PEKS refer to the BDOP-PEKS scheme described above, G be a pairing parameter generator, and A be an adversary against IND-PEKS-CPA security of BDOP-PEKS, making at most a single query to the L procedure and at most q H queries to the random oracle H. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv ind-cpa BDOP-PEKS,A (k) 2 q H Adv bddh G,k (B). Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
14 Computational consistency of BDOP-PEKS Theorem Let BDOP-PEKS refer to the BDOP-PEKS scheme described above, G be a pairing parameter generator, and A be an adversary against IND-PEKS-CPA security of BDOP-PEKS, making at most q H queries to the random oracle H. Then, the advantage Adv peks-consist BDOP-PEKS,A (k) of A against the consistency of PEKS is at most qh 2 /p. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
15 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
16 Hierarchical identity-based encryption (HIBE) oot I Level 1 1 I Level 2 2 I 3 Level 3 ID = (I 1,I 2,I 3 ) Identities are vectors of the form (id 1,..., id L ), where L is the HIBE depth. Hierarchical key derivation Users with (id 1, id 2 ) can derive keys for any user whose identity is of the form (id 1, id 1, *,..., *) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
17 HIBE Syntax Identity at level 1 l L is a vector id = (id 1,..., id l ) ID l. oot identity is represented by ε. An HIBE scheme is defined by four algorithms: Setup(1 k, L): Outputs a master public key mpk for a HIBE of depth L along with master secret key msk. KeyDer(sk (id 1,...,id l ), id l+1 ): Uses the secret key sk for identity id = (id 1,..., id l ) to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id = (id 1,..., id l ) and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id for identity id = (id 1,..., id l ) to decrypt the ciphertext C and get back a message m. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
18 ANO-HID-CPA: Anonymity under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k ) β {0, 1} eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ano-cpa HIBE,L,A (k) proc L(id 0, id 1, m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the ANO-HID-CPA security of HIBE is defined as [ ] Adv ano-cpa HIBE,L,A (k) = 2 Pr Exp ano-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
19 ANO-sHID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-sHID-CPA security of HIBE. Game Exp s-ano-cpa HIBE,L,A (k) proc Initialize(k, L, id 0, id 1) (mpk, msk) Setup(1 k, L) β {0, 1} eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the ANO-sHID-CPA security of HIBE is defined as [ ] Adv s-ano-cpa HIBE,L,A (k) = 2 Pr Exp s-ano-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
20 Boneh-Boyen HIBE scheme (BB) Setup(1 k, L): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 (H id ) l+1 rl+1 i,0 H i,1 sk l+1 g r l+1 return (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i ( H id i i,0 H ) t i,1 K ê(a, B) t C 3 m K return (C 1, (C 2,1,..., C 2,l ), C 3) Dec(sk, C): parse sk (id1,...,id l ) as (sk 0,..., sk l ) parse C as (C 1, C 2,1,..., C 2,l, C 3) K ê(sk 0, C l 1)/ i=1 ê(sk i, C 2,i ) m C 3/K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
21 Additional comments about the BB HIBE scheme The secret key sk (id1,...,id l ) = (sk 0,..., sk l ) for identity (id 1,..., id l ) has the form: sk 0 = g ab l i=1 (Hid i i,0 H i,1) r i sk i = g r i for i = 1,..., l The secret key outputted by KeyDer can be re-randomized via andomize(sk (id1,...,id l )): parse sk (id1,...,id l ) as (sk 0,..., sk l ) for i = 1,..., l do r i Z p sk i sk i g r i sk 0 sk 0 l i=1 (Hid i i,0 H i,1) r i return (sk 0, sk 1,..., sk l ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
22 Correctness of BB HIBE scheme For a valid ciphertext, we have: K = ê(sk 0, C 1 )/ l i=1 ê(sk i, C 2,i ) = ê(g ab l i=1 (Hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g ab, g t ) l i=1 ê((hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g a, g b ) t = ê(a, B) t = K Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
23 Boneh-Boyen-Goh HIBE scheme (BBG-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i G for i = 1,..., L mpk (g 1, g 2, h 1, u 0,..., u L ) sk 0 h 2 For i = 1,..., L + 1 do sk i 1 msk (sk 0, sk 1,..., sk L, sk L+1 ) eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L, sk L+1 ) r l+1 Z p sk 0 sk 0 sk id l+1 l+1 (u l ) 0 i=1 uid i rl+1 i For i = l + 2,..., L do sk i sk i u r l+1 i sk L+1 sk L+1 g r l+1 1 eturn (sk 0, sk l+2,..., sk L, sk L+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g1 r C 2 ( u l ) 0 i=1 uid i r i C 3 m ê(h 1, g 2) r eturn (C 1, C 2, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L+1 ) Parse C as (C 1, C 2, C 3) m C 3 ê(c 2,sk L+1 ) ê(c 1,sk 0 ) eturn m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
24 Waters HIBE scheme (Wa-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i,j G for i = 1,..., L; j = 0... n mpk (g 1, g 2, h 1, u 1,0,..., u L,n ) msk h 2 eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 F l+1 (id l+1 ) r l+1 sk l+1 g r l+1 1 eturn (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g r 1 For i = 1,..., l do C 2,i F i (id i ) r C 3 m ê(h 1, g 2) r eturn (C 1, C 2,1,..., C 2,l, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) Parse C as (C 1, C 2,1,..., C 2,l, C 3) m C 3 eturn m li=1 ê(sk i,c 2,i ) ê(c 1,sk 0 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
25 Boneh-Franklin BasicIdent IBE scheme Let G be a pairing parameter generator. Let H : {0, 1} G be a random oracle. Setup(1 k ): (G, G T, p, ê) G(1 k ) g G ; s Z p ; S g s msk s mpk ((G, G T, p, ê), S, H) return (mpk, msk) Enc(mpk, id, m): r Z p ; C 1 g r Q id H(id) ; K (ê(s, Q id )) r C 2 m K return (C 1, C 2 ) KeyDer(msk, id): Q id H(id) sk Q s id return (sk) Dec(sk, C): parse C as (C 1, C 2 ) K ê(c 1, usk) m C 2 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
26 Anonymity of Boneh-Franklin BasicIdent IBE scheme Theorem Let BF refer to the Boneh-Franklin BasicIdent IBE scheme in the previous slide, G be a pairing parameter generator, and A be an adversary against ANO-ID-CPA security of BF, making at most q H queries to the random oracle H and at most a single query to the L procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv ano-cpa A,BF (k) 2 q H Adv bddh G,k (B). Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
27 Anonymity of BF scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we assume that mpk = S and omit the other values. We also omit the pairing parameter generation in procedure Initialize. G 0 This game is the real attack game against BF. G 1 We guess the hash query involved in the challenge query and abort if the guess is incorrect, returning a random output for the game. G 2 We change the simulation of the random oracle procedure H so that the game knows the discrete log of H(id) for any identity other than the one used in the challenge. G 3 We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 4 In this game, we change the simulation of the L procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
28 Game G 0 proc Initialize(k) β {0, 1} Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 0 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y G Λ H Λ H {(ctr, id, Y, y)} eturn (C1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) proc Finalize(β ) eturn (β = β) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
29 Game G 1 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 1 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; Y G if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
30 Game G 2 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) sk H(id) s eturn sk Game G A 2 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
31 Game G 3 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H sk S y eturn sk Game G A 3 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K ê(s, H(id β)) r C2 m K eturn (C1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
32 Game G 4 proc Initialize(k) β {0, 1} i {1,..., q H } Λ H ε ; ctr 0 s Z p ; S g s msk s mpk S eturn mpk proc KeyDer(id) if (ctr, id, Y, y) Λ H, H(id) read (ctr, id, Y, y) Λ H sk S y eturn sk Game G A 4 proc H(id) if (ctr, id, Y, y) Λ H, return Y ctr ctr + 1 ; y Z p ; Y g y if i = ctr and id id β, abort Λ H Λ H {(ctr, id, Y, y)} eturn (C 1, C 2 ) proc L(id 0, id 1, m ) r Z p ; C1 g r K G T C 2 m K eturn (C 1, C 2 ) Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
33 Probability analysis Claim 1 Adv ano-cpa A,BF (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = (1 1/q H ) 1/2 + 1/q H Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
34 Proof of claims Claim 1 follows the security definition. Claims 3 and 4 are true because the changes made to the games do not affect their outcome. Claims 2 follows from the fact that the output of the game is chosen uniformly at random when aborting. Pr [ G A 1 = true ] = Pr [ G A 1 = true abort ] + Pr [ G A 1 = true abort ] = Pr [ G A 1 = true abort ] Pr [ abort ] + Pr [ G A 1 = true abort ] Pr [ abort ] = 1/2 (1 1/q H ) + Pr [ G A 1 = true abort ] 1/q H = 1/2 (1 1/q H ) + Pr [ G A 0 = true ] 1/q H Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
35 Proof of claims (cont.) In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. B sets mpk = A, C1 = B, H(id β) = C, and K = Z. Everything else in the simulation is performed as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to [ ] [ ] A. That is, Pr G A 3 = true = Pr Exp bddh-0 G,k (B) = true. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to [ ] [ ] A. That is, Pr G A 4 = true = Pr Exp bddh-1 G,k (B) = true. The claim follows. Claim 6 follows from the fact that A has no information about β in G 4 and that the output of the game is chosen uniformly at random when aborting. Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
36 Gentry IBE scheme Setup(1 k ): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a h Z p ; H g h mpk (g, A, H, G, G T, p, ê) msk a return (mpk, msk) KeyDer(msk, id): r Z p sk 1 r sk 2 (g r H) 1/(a id) return (sk 1, sk 2 ) Enc(mpk, id, m): t Z p C 1 (g id A) t C 2 ê(g, g) t K ê(g, H) t C 3 m K return (C 1, C 2, C 3 ) Dec(sk, C): parse sk as (sk 1, sk 2 ) parse C as (C 1, C 2, C 3 ) K ê(sk 2, C 1 ) C sk1 2, m C 3 /K return m Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
37 Correctness of Gentry IBE scheme For a valid ciphertext, we have: K = ê(sk 2, C 1 ) C sk 1 2 = ê((g r H) 1/(a id), (g id A) t ) ê(g, g) tr = ê(g r H, g t ) ê(g, g) tr = ê(g r, g t ) ê(h, g t ) ê(g, g) tr = ê(h, g t ) = K Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
38 Outline 1 Searchable Encryption Motivation Syntax Security notions BDOP scheme Security of BDOP-PEKS 2 Anonymous identity-based encryption HIBE definition Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE Boneh-Franklin IBE Gentry IBE 3 Generic constructions of PEKS Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
39 The bdop-ibe-2-peks transform PEKS (KeyGen, PEKS, Td, Test) IBE (Setup, KeyDer, Enc, Dec) Trapdoor t w pk sk Keyword w mpk msk Identity w Td(sk, w) Secret key sk w KeyDer(msk, w) C PEKS(pk, w) C Enc(mpk, w, 0 k ) Test(t w, C) Dec(sk w, C) = 0 k? Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
40 The new-ibe-2-peks transform PEKS (KeyGen, PEKS, Td, Test) IBE (Setup, KeyDer, Enc, Dec) Trapdoor t w pk sk Keyword w mpk msk Identity w Td(sk, w) Secret key sk w KeyDer(msk, w) C PEKS(pk, w) C 1 {0, 1} k C 2 Enc(mpk, w, C 1 ) Test(t w, C) Dec(sk w, C 2 ) = C 1? Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, / 40
Hierarchical identity-based encryption
Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26,
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationSearchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
An extended abstract of this paper appears in Victor Shoup, editor, Advances in Cryptology CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, pages 205 222, Santa Barbara, California, August
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More informationIdentity Based Encryption
Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University Recall: Pub-Key Encryption (PKE) PKE Three algorithms : (G, E, D) G(λ) (pk,sk) outputs pub-key and secret-key
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationIdentity-Based Online/Offline Encryption
Fuchun Guo 2 Yi Mu 1 Zhide Chen 2 1 University of Wollongong, Australia ymu@uow.edu.au 2 Fujian Normal University, Fuzhou, China fuchunguo1982@gmail.com Outline 1 2 3 4 Identity-based Encryption Review
More informationBoneh-Franklin Identity Based Encryption Revisited
Boneh-Franklin Identity Based Encryption Revisited David Galindo Institute for Computing and Information Sciences Radboud University Nijmegen P.O.Box 9010 6500 GL, Nijmegen, The Netherlands. d.galindo@cs.ru.nl
More informationHow to Delegate a Lattice Basis
How to Delegate a Lattice Basis David Cash Dennis Hofheinz Eike Kiltz July 24, 2009 Abstract We present a technique, which we call basis delegation, that allows one to use a short basis of a given lattice
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationFrom Selective to Full Security: Semi-Generic Transformations in the Standard Model
From Selective to Full Security: Semi-Generic Transformations in the Standard Model Michel Abdalla 1, Dario Fiore 2, and Vadim Lyubashevsky 1 1 Département d Informatique, École normale supérieure, France.
More informationResistance to Pirates 2.0: A Method from Leakage Resilient Cryptography
Resistance to Pirates 2.0: A Method from Leakage Resilient Cryptography Duong Hieu Phan 1,2 and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. In the classical model of
More informationPractical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles
Practical Hierarchical Identity Based Encryption and Signature schemes Without Random Oracles Man Ho Au 1, Joseph K. Liu 2, Tsz Hon Yuen 3, and Duncan S. Wong 4 1 Centre for Information Security Research
More informationPerfect Keyword Privacy in PEKS Systems
Perfect Keyword Privacy in PEKS Systems Mototsugu Nishioka HITACHI, Ltd., Yokohama Research Laboratory, Japan mototsugu.nishioka.rc@hitachi.com Abstract. This paper presents a new security notion, called
More informationPairing-Based Cryptography An Introduction
ECRYPT Summer School Samos 1 Pairing-Based Cryptography An Introduction Kenny Paterson kenny.paterson@rhul.ac.uk May 4th 2007 ECRYPT Summer School Samos 2 The Pairings Explosion Pairings originally used
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic Key Encryption with Conjunctive Field Keyword Search
Public Key Encryption with Conjunctive Field Keyword Search Dong Jin PARK Kihyun KIM Pil Joong LEE IS Lab, POSTECH, Korea August 23, 2004 Contents 1 Preliminary 2 Security Model 3 Proposed Scheme 1 4 Proposed
More informationOutsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts
Outsider-Anonymous Broadcast Encryption with Sublinear Ciphertexts elly Fazio 1,2 and Irippuge Milinda Perera 2 1 The City College of CUY fazio@cs.ccny.cuny.edu 2 The Graduate Center of CUY {nfazio,iperera}@gc.cuny.edu
More informationIdentity Based Key Encapsulation with Wildcards
Identity Based Key Encapsulation with Wildcards James Birkett 1, Alexander W. Dent 1, Gregory Neven 2, and Jacob Schuldt 1 1 Information Security Group, Royal Holloway, University of London, Egham, TW20
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationNon-malleability under Selective Opening Attacks: Implication and Separation
Non-malleability under Selective Opening Attacks: Implication and Separation Zhengan Huang 1, Shengli Liu 1, Xianping Mao 1, and Kefei Chen 2,3 1. Department of Computer Science and Engineering, Shanghai
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh 1 Giovanni Di Crescenzo 2 Rafail Ostrovsky 3 Giuseppe Persiano 4 1 Stanford University. dabo@cs.stanford.edu 2 Telcordia. giovanni@research.telcordia.com
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More informationREMARKS ON IBE SCHEME OF WANG AND CAO
REMARKS ON IBE SCEME OF WANG AND CAO Sunder Lal and Priyam Sharma Derpartment of Mathematics, Dr. B.R.A.(Agra), University, Agra-800(UP), India. E-mail- sunder_lal@rediffmail.com, priyam_sharma.ibs@rediffmail.com
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationA New Functional Encryption for Multidimensional Range Query
A New Functional Encryption for Multidimensional Range Query Jia Xu 1, Ee-Chien Chang 2, and Jianying Zhou 3 1 Singapore Telecommunications Limited jia.xu@singtel.com 2 National University of Singapore
More informationAn efficient variant of Boneh-Gentry-Hamburg's identity-based encryption without pairing
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 An efficient variant of Boneh-Gentry-Hamburg's
More informationNotes on Property-Preserving Encryption
Notes on Property-Preserving Encryption The first type of specialized encryption scheme that can be used in secure outsourced storage we will look at is property-preserving encryption. This is encryption
More informationDirect Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles
Direct Chosen-Ciphertext Secure Identity-Based Key Encapsulation without Random Oracles Eike Kiltz David Galindo 2 August 4, 2009 Cryptology and Information Security Research Theme CWI Amsterdam, The Netherlands
More informationLesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search
Lesson 8 : Key-Policy Attribute-Based Encryption and Public Key Encryption with Keyword Search November 3, 2014 teacher : Benoît Libert scribe : Florent Bréhard Key-Policy Attribute-Based Encryption (KP-ABE)
More informationTheoretical Computer Science. Direct chosen-ciphertext secure identity-based key encapsulation without random oracles
Theoretical Computer Science 40 (2009) 5093 5 Contents lists available at ScienceDirect Theoretical Computer Science journal homepage: www.elsevier.com/locate/tcs Direct chosen-ciphertext secure identity-based
More informationStandard Security Does Not Imply Indistinguishability Under Selective Opening
Standard Security Does Not Imply Indistinguishability Under Selective Opening Dennis Hofheinz 1, Vanishree Rao 2, and Daniel Wichs 3 1 Karlsruhe Institute of Technology, Germany, dennis.hofheinz@kit.edu
More informationShort Signatures Without Random Oracles
Short Signatures Without Random Oracles Dan Boneh and Xavier Boyen (presented by Aleksandr Yampolskiy) Outline Motivation Preliminaries Secure short signature Extensions Conclusion Why signatures without
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K, E, D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2
More informationHidden-Vector Encryption with Groups of Prime Order
Hidden-Vector Encryption with Groups of Prime Order Vincenzo Iovino 1 and Giuseppe Persiano 1 Dipartimento di Informatica ed Applicazioni, Università di Salerno, 84084 Fisciano (SA), Italy. iovino,giuper}@dia.unisa.it.
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko University of Texas at Austin alewko@cs.utexas.edu Brent Waters University of Texas at Austin bwaters@cs.utexas.edu
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationCryptographically Enforced RBAC
Cryptographically Enforced RBAC Anna Lisa Ferrara 1, Georg Fuchsbauer 2, and Bogdan Warinschi 1 1 University of Bristol, UK, anna.lisa.ferrara@bristol.ac.uk,bogdan@cs.bris.ac.uk 2 Institute of Science
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationDual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions
Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions Brent Waters University of Texas at Austin Abstract We present a new methodology for proving security of encryption
More information15 Public-Key Encryption
15 Public-Key Encryption So far, the encryption schemes that we ve seen are symmetric-key schemes. The same key is used to encrypt and decrypt. In this chapter we introduce public-key (sometimes called
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationFunction-Private Identity-Based Encryption: Hiding the Function in Functional Encryption
Function-Private Identity-Based Encryption: Hiding the Function in Functional Encryption Dan Boneh Ananth Raghunathan Gil Segev Abstract We put forward a new notion, function privacy, in identity-based
More informationNew Framework for Secure Server-Designation Public Key Encryption with Keyword Search
New Framework for Secure Server-Designation Public Key Encryption with Keyword Search Xi-Jun Lin,Lin Sun and Haipeng Qu April 1, 2016 Abstract: Recently, a new framework, called secure server-designation
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationExpressive Search on Encrypted Data
Singapore Management University Institutional Knowledge at Singapore Management University Research Collection School Of Information Systems School of Information Systems 5-2013 Expressive Search on Encrypted
More informationThe k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions
The k-bdh Assumption Family: Bilinear Cryptography from Progressively Weaker Assumptions Karyn Benson (UCSD) Hovav Shacham (UCSD) Brent Waters (UT-Austin) Provable Security How to show your cryptosystem
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationAnonymous IBE from Quadratic Residuosity with Improved Performance
Anonymous IBE from Quadratic Residuosity with Improved Performance Michael Clear, Hitesh Tewari, Ciarán McGoldrick School of Computer Science and Statistics, Trinity College Dublin Keywords: Identity Based
More informationCS 6260 Applied Cryptography
CS 6260 Applied Cryptography Symmetric encryption schemes A scheme is specified by a key generation algorithm K, an encryption algorithm E, and a decryption algorithm D. K K =(K,E,D) MsgSp-message space
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationRobust Encryption. ;
Robust Encryption Michel Abdalla 1, Mihir Bellare 2, and Gregory Neven 3,4 1 Departement d Informatique, École normale supérieure, Paris, France. Michel.Abdalla@ens.fr ; http://www.di.ens.fr/users/mabdalla
More informationDual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More
Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More Nuttapong Attrapadung (Nuts) AIST, Japan @Eurocrypt 2014, Copenhagen
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationAnonymous Constant-Size Ciphertext HIBE From Asymmetric Pairings
Anonymous Constant-Size Ciphertext HIBE From Asymmetric Pairings Somindu C. Ramanna and Palash Sarkar Applied Statistics nit Indian Statistical Institute 203, B.T. Road, Kolkata India 700108. e-mail: {somindu
More informationInstantiating the Dual System Encryption Methodology in Bilinear Groups
Instantiating the Dual System Encryption Methodology in Bilinear Groups Allison Lewko joint work with Brent Waters Motivation classical public key cryptography: Alice Bob Eve Motivation functional encryption:
More informationPublic Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time Yi-Ru Liu, Wen-Guey Tzeng Department of Computer Science National Chiao Tung University Hsinchu, Taiwan 30050 Email:
More informationLR-RRA-CCA Secure Functional Encryption for Randomized Functionalities from Trapdoor HPS and LAF
. Supplementary File. SCIENCE CHINA Information Sciences LR-RRA-CCA Secure Functional Encryption for Randomized Functionalities from Trapdoor HPS and LAF Huige WANG 1,2, Kefei CHEN 3 *, Baodong QIN 4,5
More informationBetter Security for Functional Encryption for Inner Product Evaluations
Better Security for Functional Encryption for Inner Product Evaluations Michel Abdalla, Florian Bourse, Angelo De Caro, and David Pointcheval Département d Informatique, École normale supérieure {michel.abdalla,florian.bourse,angelo.decaro,david.pointcheval}@ens.fr
More informationThe Twin Diffie-Hellman Problem and Applications
The Twin Diffie-Hellman Problem and Applications David Cash 1 Eike Kiltz 2 Victor Shoup 3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This
More informationRemove Key Escrow from The Identity-Based Encryption System
Remove Key Escrow from The Identity-Based Encryption System Zhaohui Cheng, Richard Comley and Luminita Vasiu School of Computing Science, Middlesex University, White Hart Lane, London N17 8HR, UK. {m.z.cheng,r.comley,l.vasiu}@mdx.ac.uk
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationDefinitional Issues in Functional Encryption
Definitional Issues in Functional Encryption Adam O Neill Abstract We provide a formalization of the emergent notion of functional encryption, as well as introduce various security notions for it, and
More informationRobust Encryption. Michel Abdalla 1 Mihir Bellare 2 Gregory Neven 3
n extended abstract of this paper appears in the Proceedings of the 7th Theory of Cryptography Conference (TCC 010), Lecture Notes in Computer Science 5978, D. Micciancio ed., Springer, 010. This is the
More informationRecent Advances in Identity-based Encryption Pairing-based Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-based Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationThreshold broadcast encryption with keyword search
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2016 Threshold broadcast encryption with keyword
More informationCryptography from Pairings
DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 1 Cryptography from Pairings Kenny Paterson kenny.paterson@rhul.ac.uk May 31st 2007 DIAMANT/EIDMA Symposium, May 31st/June 1st 2007 2 The Pairings Explosion
More informationNew Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption
New Lower Bounds on Predicate Entropy for Function Private Public-Key Predicate Encryption Sikhar Patranabis and Debdeep Mukhopadhyay Department of Computer Science and Engineering Indian Institute of
More informationOn the Achievability of Simulation-Based Security for Functional Encryption
On the Achievability of Simulation-Based Security for Functional Encryption Angelo De Caro 1, Vincenzo Iovino 2, Abhishek Jain 3, Adam O Neill 4, Omer Paneth 5, and Giuseppe Persiano 6 1 IBM Research Zurich,
More informationarxiv: v1 [cs.cr] 24 Feb 2017
Efficient Hidden Vector Encryptions and Its Applications 1 arxiv:1702.07456v1 [cs.cr] 24 Feb 2017 Kwangsu Lee A Thesis for the Degree of Doctor of Philosophy Department of Information Security, Graduate
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More information