Attribute-Based Broadcast Encryption Scheme Made Efficient
|
|
- Cornelia Washington
- 8 years ago
- Views:
Transcription
1 Attribute-Based Broadcast Encryption Scheme Made Efficient David Lubicz Thomas Sirvent D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 1 / 23
2 Outline 1 Context Broadcast encryption Efficiency of standard schemes Attributes in broadcast encryption A previous construction 2 Our Scheme Principle of the scheme In practice? Full description of the scheme Efficiency and security D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 2 / 23
3 Outline 1 Context Broadcast encryption Efficiency of standard schemes Attributes in broadcast encryption A previous construction 2 Our Scheme Principle of the scheme In practice? Full description of the scheme Efficiency and security D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 3 / 23
4 Broadcast A broadcaster intends to send securely and efficiently the same message to a large number of receivers: D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 4 / 23
5 Revocation In the case of a revocation, some users are removed from the set of receivers (for example when their decryption keys are compromised): D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 5 / 23
6 Permanent revocation In the case of a permanent revocation, the decryption keys are updated. The revoked users are not able anymore to obtain the messages sent by the broadcaster: D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 6 / 23
7 Temporary revocation When permanent revocations are used (stateful schemes), receivers must remain online, receivers must store and use new decryption keys. To avoid these limitations, it is possible to use stateless schemes, where revocations are temporary: in the encryption process, the broadcaster chooses the set of receivers, only members of this set may decrypt the message. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 7 / 23
8 Efficiency of standard schemes In stateful schemes (like LKH), a common decryption key is known by all receivers, a specific structure allows join and revoke operations. Join and revoke operations require large bandwidth. Good schemes for sets of receivers with rare modifications. In stateless schemes (like CS or SD), join and revoke operations do not exist, a specific structure allows encryption. Ciphertexts require large bandwidth. Good schemes for a small number of revoked users. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 8 / 23
9 Efficiency of standard schemes In stateful schemes (like LKH), a common decryption key is known by all receivers, a specific structure allows join and revoke operations. Join and revoke operations require large bandwidth. Good schemes for sets of receivers with rare modifications. In stateless schemes (like CS or SD), join and revoke operations do not exist, a specific structure allows encryption. Ciphertexts require large bandwidth. Good schemes for a small number of revoked users. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 8 / 23
10 Attributes and users In practical applications of broadcast, users have attributes that can be used to describe efficently the set of receivers. Id Name Subscription Expiry Date Location 1 Alice Movies Jan 2009 Europe 2 Bob News / Sports Aug 2009 Africa 3 Charlie Entertainment May 2008 Asia 4 Dave News / Movies Jun 2009 Asia 5 Eve Entertainment / Sports Jan 2008 Africa Is it possible to send efficiently a movie in June 2008? Evolution of the set of receivers : fast Number of revoked users: large Number of users: large But a specific structure! D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 9 / 23
11 Goal Build a broadcast encryption scheme such that: when the set of receivers is defined by attributes, the efficiency depends only on the number of attributes used, any set of receivers has a reasonnable efficiency? D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 10 / 23
12 A previous construction An attribute-based broadcast scheme comes from: [SW05]: use of a single attribute, [GPSW06]: use of several attributes, [BSW07]: policy defined by the ciphertext, [OSW07]: non-monotonic policy (use of NOT). The policy is defined by: threshold functions (including AND and OR functions), NOT functions. Efficiency: ++ Ciphertexts have a linear size in the number of attributes, Decryption requires a linear number of pairing computations. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 11 / 23
13 A previous construction An attribute-based broadcast scheme comes from: [SW05]: use of a single attribute, [GPSW06]: use of several attributes, [BSW07]: policy defined by the ciphertext, [OSW07]: non-monotonic policy (use of NOT). The policy is defined by: threshold functions (including AND and OR functions), NOT functions. Efficiency: ++ Ciphertexts have a linear size in the number of attributes, Decryption requires a linear number of pairing computations. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 11 / 23
14 A previous construction An attribute-based broadcast scheme comes from: [SW05]: use of a single attribute, [GPSW06]: use of several attributes, [BSW07]: policy defined by the ciphertext, [OSW07]: non-monotonic policy (use of NOT). The policy is defined by: threshold functions (including AND and OR functions), NOT functions. Efficiency: ++ Ciphertexts have a linear size in the number of attributes, Decryption requires a linear number of pairing computations. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 11 / 23
15 Outline 1 Context Broadcast encryption Efficiency of standard schemes Attributes in broadcast encryption A previous construction 2 Our Scheme Principle of the scheme In practice? Full description of the scheme Efficiency and security D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 12 / 23
16 Principle of the scheme (1) Each attribute is associated with an element µ i Z/pZ. User u: Ω(u) is its set of attributes, dk u is its decryption key. dk u (X µ). µ Ω(u) Encryption: a header hdr and a key K are built from Ω R : the set of revoked attributes, Ω N : the set of needed attributes. K (X µ) hdr µ Ω N (X µ). µ Ω R Ω N D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 13 / 23
17 Principle of the scheme (1) Each attribute is associated with an element µ i Z/pZ. User u: Ω(u) is its set of attributes, dk u is its decryption key. dk u (X µ). µ Ω(u) Encryption: a header hdr and a key K are built from Ω R : the set of revoked attributes, Ω N : the set of needed attributes. K (X µ) hdr µ Ω N (X µ). µ Ω R Ω N D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 13 / 23
18 Principle of the scheme (1) Each attribute is associated with an element µ i Z/pZ. User u: Ω(u) is its set of attributes, dk u is its decryption key. dk u (X µ). µ Ω(u) Encryption: a header hdr and a key K are built from Ω R : the set of revoked attributes, Ω N : the set of needed attributes. K (X µ) hdr µ Ω N (X µ). µ Ω R Ω N D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 13 / 23
19 Principle of the scheme (2) Decryption: compute the GCD (greatest common divisor) of the decryption key dk u and the header hdr to obtain the key K. GCD(dk u, hdr) µ Ω(u) (Ω R Ω N ) (X µ). Is it accurate? GCD(dk u, hdr) = K Ω(u) (Ω R Ω N ) = Ω N Ω(u) Ω R = and Ω N Ω(u). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 14 / 23
20 Principle of the scheme (2) Decryption: compute the GCD (greatest common divisor) of the decryption key dk u and the header hdr to obtain the key K. GCD(dk u, hdr) µ Ω(u) (Ω R Ω N ) (X µ). Is it accurate? GCD(dk u, hdr) = K Ω(u) (Ω R Ω N ) = Ω N Ω(u) Ω R = and Ω N Ω(u). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 14 / 23
21 In Practice? In practical applications, it is not possible to use polynomials. For all polynomial P, we use P(α)g 1 instead of P, where: g 1 is a public generator of a group G 1 in which the DLP is hard, α is a secret value. The GCD is computed using extended Euclide s algorithm. We need a non-degenerate pairing, i.e. a map e : G 1 G 1 G 2 where: (G 1, g 1 ) and (G 2, g 2 ) are two cyclic groups of same prime order p, e(g 1, g 1 ) = g 2, e is bilinear. The group laws in G 1 and G 2 are noted additively: e(a g 1, b g 1 ) = a b g 2. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 15 / 23
22 In Practice? In practical applications, it is not possible to use polynomials. For all polynomial P, we use P(α)g 1 instead of P, where: g 1 is a public generator of a group G 1 in which the DLP is hard, α is a secret value. The GCD is computed using extended Euclide s algorithm. We need a non-degenerate pairing, i.e. a map e : G 1 G 1 G 2 where: (G 1, g 1 ) and (G 2, g 2 ) are two cyclic groups of same prime order p, e(g 1, g 1 ) = g 2, e is bilinear. The group laws in G 1 and G 2 are noted additively: e(a g 1, b g 1 ) = a b g 2. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 15 / 23
23 In Practice? In practical applications, it is not possible to use polynomials. For all polynomial P, we use P(α)g 1 instead of P, where: g 1 is a public generator of a group G 1 in which the DLP is hard, α is a secret value. The GCD is computed using extended Euclide s algorithm. We need a non-degenerate pairing, i.e. a map e : G 1 G 1 G 2 where: (G 1, g 1 ) and (G 2, g 2 ) are two cyclic groups of same prime order p, e(g 1, g 1 ) = g 2, e is bilinear. The group laws in G 1 and G 2 are noted additively: e(a g 1, b g 1 ) = a b g 2. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 15 / 23
24 Protection against some attacks Attack 1 : Attributes in headers can be modified. (Linear combinations of different headers) Randomized headers (using z). Attack 2 : Attributes in decryption keys can be modified. (Linear combinations of different decryption keys) Randomized decryption keys (using s u ). Attack 3 : Other computations (than GCD ) can be performed. (Pairing computations on some specific pairs of group elements) New parameters (γ and δ). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 16 / 23
25 Protection against some attacks Attack 1 : Attributes in headers can be modified. (Linear combinations of different headers) Randomized headers (using z). Attack 2 : Attributes in decryption keys can be modified. (Linear combinations of different decryption keys) Randomized decryption keys (using s u ). Attack 3 : Other computations (than GCD ) can be performed. (Pairing computations on some specific pairs of group elements) New parameters (γ and δ). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 16 / 23
26 Protection against some attacks Attack 1 : Attributes in headers can be modified. (Linear combinations of different headers) Randomized headers (using z). Attack 2 : Attributes in decryption keys can be modified. (Linear combinations of different decryption keys) Randomized decryption keys (using s u ). Attack 3 : Other computations (than GCD ) can be performed. (Pairing computations on some specific pairs of group elements) New parameters (γ and δ). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 16 / 23
27 Full scheme - key generation We randomly choose a secret 4-uple (α, β, γ, δ) ((Z/pZ) ) 4, Each user u is associated with a secret s u (Z/pZ), Each attribute is associated with a public µ i (Z/pZ) \ {α}. EK = (g 1, β γ δ g 1, ( µ i, α i g 1, α i γ g 1, α i ) δ g 1 dk u = (Ω(u), (β + s u )δ g 1, γ s u Π(u)g 1, ( α i ) γ δ s u g 1 where 0 i l ). 0 i<l(u) Ω(u) = {µ i (Z/pZ)/µ i attribute of u}, l(u) = Ω(u) is the number of attributes of u, Π(u) = µ Ω(u) (α µ). ), D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 17 / 23
28 Full scheme - encryption Let Ω N be the set of needed attributes. Soit Ω R be the set of revoked attributes. A user u is valid for these sets if: Ω N Ω(u) and Ω R Ω(u) =. The encryption for these sets (Ω N, Ω R ) gives : hdr = (Ω N, Ω R, z Π NR g 1, γ z Π N g 1, ( ) α i δ z g 1, )0 i<l R K = β γ δ z Π N g 2. where z is randomly chosen in (Z/pZ), l R = Ω R, Π N = µ ΩN(α µ), Π NR = Π N µ ΩR(α µ). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 18 / 23
29 Full scheme - decryption The decryption is based on a decryption key dk u and a header hdr: { dk u = (Ω(u), dk 1, dk 2, dk 3,0,...,dk 3,l(u) 1 ), hdr = (Ω N, Ω R, hdr 1, hdr 2, hdr 3,0,...,hdr 3,l R 1). If u is a valid receiver, extended Euclide s algorithm gives two polynomials V(X) = l(u) 1 i=0 v i X i and W(X) = l R 1 i=0 w ix i such that: V(X) (X µ) + W(X) (X µ) = (X µ). µ (Ω N Ω R ) µ Ω(u) µ Ω N The key is obtained by: l(u) 1 e(dk 1, hdr 2 ) e v i dk 3,i, hdr 1 e dk 2, i=0 l R 1 i=0 w i hdr 3,i. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 19 / 23
30 Full scheme - correctness V(α)Π NR + W(α)Π(u) = Π N. V(α) = l(u) 1 i=0 v i α i W(α) = l R 1 i=0 w i α i dk 1 = (β + s u )δ g 1 hdr 1 = z Π NR g 1 dk 2 = γ s u Π(u)g 1 hdr 2 = γ z Π N g 1 dk 3,i = α i γ δ s u g 1 hdr 3,i = α i δ z g 1 l(u) 1 e(dk 1, hdr 2 ) e v i dk 3,i, hdr 1 e dk 2, i=0 l R 1 i=0 w i hdr 3,i K = β γ δ z Π N g 2. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 20 / 23
31 Efficiency of this scheme Size of ciphertexts : linear in Ω N + Ω R. Computations : Decryption : 3 pairing computations, Encryption : 1 pairing computation (none if we extend EK). Size of keys : EK linear in l, dk u linear in l(u). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 21 / 23
32 Efficiency of this scheme Size of ciphertexts : linear in Ω N + Ω R. Computations : Decryption : 3 pairing computations, Encryption : 1 pairing computation (none if we extend EK). Size of keys : EK linear in l, dk u linear in l(u). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 21 / 23
33 Efficiency of this scheme Size of ciphertexts : linear in Ω N + Ω R. Computations : Decryption : 3 pairing computations, Encryption : 1 pairing computation (none if we extend EK). Size of keys : EK linear in l, dk u linear in l(u). D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 21 / 23
34 Security and other features The security has been proved in the generic model of groups with pairings. Some features: EK can be strongly reduced in some cases, new users can join easily, for any set of receivers, at least as efficient as the SD scheme. Threshold functions are however not available in this scheme. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 22 / 23
35 Security and other features The security has been proved in the generic model of groups with pairings. Some features: EK can be strongly reduced in some cases, new users can join easily, for any set of receivers, at least as efficient as the SD scheme. Threshold functions are however not available in this scheme. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 22 / 23
36 Security and other features The security has been proved in the generic model of groups with pairings. Some features: EK can be strongly reduced in some cases, new users can join easily, for any set of receivers, at least as efficient as the SD scheme. Threshold functions are however not available in this scheme. D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 22 / 23
37 Thank you for your attention! D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 23 / 23
Cryptanalysis of Cloud based computing
Cryptanalysis of Cloud based computing COMP 4109 Elom Tsiagbey Overview Introduction Recent threats to cloud computing Key Management models Conclusion Proposed key management model What is Cloud Computing?
More information3-6 Toward Realizing Privacy-Preserving IP-Traceback
3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationCSC474/574 - Information Systems Security: Homework1 Solutions Sketch
CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationOverview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationEnforcing Role-Based Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationPractice Questions. CS161 Computer Security, Fall 2008
Practice Questions CS161 Computer Security, Fall 2008 Name Email address Score % / 100 % Please do not forget to fill up your name, email in the box in the midterm exam you can skip this here. These practice
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationTHE UNIVERSITY OF TRINIDAD & TOBAGO
THE UNIVERSITY OF TRINIDAD & TOBAGO FINAL ASSESSMENT/EXAMINATIONS DECEMBER 2013 ALTERNATE Course Code and Title: TCOM3003 Communication Security and Privacy Programme: Bachelor of Applied Science in Computer
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption
More informationComments on "public integrity auditing for dynamic data sharing with multi-user modification"
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about
More informationBasic Algorithms In Computer Algebra
Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationElements of Applied Cryptography Public key encryption
Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationKey Management and Distribution
and Distribution CSS322: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 23 January 2011 CSS322Y10S2L12, Steve/Courses/CSS322/Lectures/key.tex,
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationOutsourcing the Decryption of ABE Ciphertexts
Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies
More informationCIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols
CIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols Professor Kevin Butler Winter 2010 Computer and Information Science Key Distribution/Agreement Key Distribution is
More informationCS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.
CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014. Instructor: Sharon Goldberg March 25, 2014. 9:30-10:50 AM. One-sided handwritten aid sheet allowed. No cell phone or calculators
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More informationReferences: Adi Shamir, How to Share a Secret, CACM, November 1979.
Ad Hoc Network Security References: Adi Shamir, How to Share a Secret, CACM, November 1979. Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang, Providing Robust and Ubiquitous Security Support
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationMulti-Channel Broadcast Encryption
Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content
More informationLecture 17: Re-encryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationAn Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud
An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud T.Vijayalakshmi 1, Balika J Chelliah 2,S.Alagumani 3 and Dr.J.Jagadeesan 4 1 PG
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru
More informationRobust and Simple N-Party Entangled Authentication Cloud Storage Protocol Based on Secret Sharing Scheme
Journal of Information Hiding and Multimedia Signal Processing 2013 ISSN 2073-4212 Ubiquitous International Volume 4, Number 2, April 2013 Robust and Simple N-Party Entangled Authentication Cloud Storage
More informationIntroduction to Cryptography
Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationFunctional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation
Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation Nuttapong Attrapadung 1 and Benoît Libert 2 1 Research Center
More informationCryptography: RSA and Factoring; Digital Signatures; Ssh
Cryptography: RSA and Factoring; Digital Signatures; Ssh Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin The Hardness of Breaking RSA
More informationC-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things
C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things Lyes Touati, Yacine Challal, Abdelmadjid Bouabdallah To cite this version: Lyes Touati, Yacine Challal, Abdelmadjid
More informationSharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment
Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment Deepa Noorandevarmath 1, Rameshkumar H.K 2, C M Parameshwarappa 3 1 PG Student, Dept of CS&E, STJIT, Ranebennur. Karnataka, India
More informationCryptography & Network Security. Introduction. Chester Rebeiro IIT Madras
Cryptography & Network Security Introduction Chester Rebeiro IIT Madras The Connected World 2 Information Storage 3 Increased Security Breaches 81% more in 2015 http://www.pwc.co.uk/assets/pdf/2015-isbs-executive-summary-02.pdf
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution
More informationStudy of algorithms for factoring integers and computing discrete logarithms
Study of algorithms for factoring integers and computing discrete logarithms First Indo-French Workshop on Cryptography and Related Topics (IFW 2007) June 11 13, 2007 Paris, France Dr. Abhijit Das Department
More informationCS377: Database Systems Data Security and Privacy. Li Xiong Department of Mathematics and Computer Science Emory University
CS377: Database Systems Data Security and Privacy Li Xiong Department of Mathematics and Computer Science Emory University 1 Principles of Data Security CIA Confidentiality Triad Prevent the disclosure
More informationSecure Role-Based Access Control on Encrypted Data in Cloud Storage using Raspberry PI
Volume: 2, Issue: 7, 20-27 July 2015 www.allsubjectjournal.com e-issn: 2349-4182 p-issn: 2349-5979 Impact Factor: 3.762 Miss Rohini Vidhate Savitribai Phule Pune University. Mr. V. D. Shinde Savitribai
More informationAn Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure
More informationSecurity Sensor Network. Biswajit panja
Security Sensor Network Biswajit panja 1 Topics Security Issues in Wired Network Security Issues in Wireless Network Security Issues in Sensor Network 2 Security Issues in Wired Network 3 Security Attacks
More informationEFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE
EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE Reshma Mary Abraham and P. Sriramya Computer Science Engineering, Saveetha University, Chennai, India E-Mail: reshmamaryabraham@gmail.com
More informationBrocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1
PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority
More informationNetwork Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Encryption/Decryption using Public Key Cryptography Network Security Chapter 2 Basics 2.2 Public Key Cryptography
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationComputer and Network Security. Alberto Marchetti Spaccamela
Computer and Network Security Alberto Marchetti Spaccamela Slides are strongly based on material by Amos Fiat Good crypto courses on the Web with interesting material on web site of: Ron Rivest, MIT Dan
More informationCategorical Heuristic for Attribute Based Encryption in the Cloud Server
Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,
More informationFirst Semester Examinations 2011/12 INTERNET PRINCIPLES
PAPER CODE NO. EXAMINER : Martin Gairing COMP211 DEPARTMENT : Computer Science Tel. No. 0151 795 4264 First Semester Examinations 2011/12 INTERNET PRINCIPLES TIME ALLOWED : Two Hours INSTRUCTIONS TO CANDIDATES
More informationMathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information
The : Keeping Eve The Eavesdropper Away From Your Credit Card Information Department of Mathematics North Dakota State University 16 September 2010 Science Cafe Introduction Disclaimer: is not an internet
More informationIdentity-Based Encryption
Identity-Based ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Public-key encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow
More informationMassachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.
Massachusetts Institute of Technology Handout 13 6.857: Network and Computer Security October 9, 2003 Professor Ronald L. Rivest Quiz 1 1. This quiz is intended to provide a fair measure of your understanding
More informationSFWR ENG 4C03 - Computer Networks & Computer Security
KEY MANAGEMENT SFWR ENG 4C03 - Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if
More informationAn Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm
An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm V.Masthanamma 1,G.Lakshmi Preya 2 UG Scholar, Department of Information Technology, Saveetha School of Engineering
More informationNetwork Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015
Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it
More informationShor s algorithm and secret sharing
Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful
More informationSecure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data
Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam
More informationTYPES Workshop, 12-13 june 2006 p. 1/22. The Elliptic Curve Factorization method
Ä ÙÖ ÒØ ÓÙ Ð ÙÖ ÒØ ÓÑ Ø ºÒ Ø TYPES Workshop, 12-13 june 2006 p. 1/22 ÄÇÊÁ ÍÒ Ú Ö Ø À ÒÖ ÈÓ Ò Ö Æ ÒÝÁ. The Elliptic Curve Factorization method Outline 1. Introduction 2. Factorization method principle 3.
More informationOn prime-order elliptic curves with embedding degrees k = 3, 4 and 6
On prime-order elliptic curves with embedding degrees k = 3, 4 and 6 Koray Karabina and Edlyn Teske University of Waterloo ANTS VIII, Banff, May 20, 2008 K. Karabina and E. Teske (UW) Prime-order elliptic
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationNetwork Security Technology Network Management
COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationKey Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.
CSC 490 Special Topics Computer and Network Security Key Management Dr. Xiao Qin Auburn University http://www.eng.auburn.edu/~xqin xqin@auburn.edu Slide 09-1 Overview Key exchange Session vs. interchange
More informationFACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY
FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this
More informationEnterprise Network Virus Protection Research Yanjie Zhou 1, Li Ma 2 Min Wen3
4th International Conference on Mechatronics, Materials, Chemistry and Computer Engineering (ICMMCCE 2015) Enterprise Network Virus Protection Research Yanjie Zhou 1, Li Ma 2 Min Wen3 1,2College of Mathematical
More informationAn Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud
An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay Madria Professor and Site Director for NSF I/UCRC Center on Net-Centric Software and Systems Missouri University
More informationα α λ α = = λ λ α ψ = = α α α λ λ ψ α = + β = > θ θ β > β β θ θ θ β θ β γ θ β = γ θ > β > γ θ β γ = θ β = θ β = θ β = β θ = β β θ = = = β β θ = + α α α α α = = λ λ λ λ λ λ λ = λ λ α α α α λ ψ + α =
More informationA Fast Semantically Secure Public Key Cryptosystem Based on Factoring
International Journal of Network Security, Vol.3, No., PP.144 150, Sept. 006 (http://ijns.nchu.edu.tw/) 144 A Fast Semantically Secure Public Key Cryptosystem Based on Factoring Sahdeo Padhye and Birendra
More informationDigital Signature. Raj Jain. Washington University in St. Louis
Digital Signature Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationSecure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks
JOURNAL PAPER, ACCEPTED 1 Secure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks Huang Lu, Student Member, IEEE, Jie Li, Senior Member, IEEE, Mohsen Guizani, Fellow, IEEE Abstract
More informationComputer and Network Security. Outline
Computer and Network Security Lecture 10 Certificates and Revocation Outline Key Distribution Certification Authorities Certificate revocation 1 Key Distribution K A, K B E KA ( K AB, E KB (KAB) ) K A
More information7 Key Management and PKIs
CA4005: CRYPTOGRAPHY AND SECURITY PROTOCOLS 1 7 Key Management and PKIs 7.1 Key Management Key Management For any use of cryptography, keys must be handled correctly. Symmetric keys must be kept secret.
More informationDigital Signatures: A Panoramic View. Palash Sarkar
Digital Signatures: A Panoramic View Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in International Conference on Electrical Engineering, Computing
More informationCLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION
CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION Chandrala DN 1, Kulkarni Varsha 2 1 Chandrala DN, M.tech IV sem,department of CS&E, SVCE, Bangalore 2 Kulkarni Varsha, Asst. Prof.
More informationVoteID 2011 Internet Voting System with Cast as Intended Verification
VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could
More informationKey Management and Distribution
Key Management and Distribution Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu udio/video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationG.J. E.D.T.,Vol.3(1):43-47 (January-February, 2014) ISSN: 2319 7293 SUODY-Preserving Privacy in Sharing Data with Multi-Vendor for Dynamic Groups
SUODY-Preserving Privacy in Sharing Data with Multi-Vendor for Dynamic s T.Vijayalakshmi 1, Balika J Chelliah 2 & R. Jegadeesan 3 1 M.Tech Student, Department of Computer Science and Engineering, S.R.M.
More informationCryptography and Network Security Chapter 14. Key Distribution. Key Management and Distribution. Key Distribution Task 4/19/2010
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 14 Key Management and Distribution No Singhalese, whether man or woman, would venture
More informationCP-ABE Based Encryption for Secured Cloud Storage Access
International Journal of Scientific & Engineering Research, Volume 3, Issue 9, September-2012 1 CP-ABE Based Encryption for Secured Cloud Storage Access B. Raja Sekhar,B. Sunil Kumar, L. Swathi Reddy,
More informationGREATEST COMMON DIVISOR
DEFINITION: GREATEST COMMON DIVISOR The greatest common divisor (gcd) of a and b, denoted by (a, b), is the largest common divisor of integers a and b. THEOREM: If a and b are nonzero integers, then their
More informationLecture 13: Factoring Integers
CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elaine Brow, December 2010 Math 189A: Algebraic Geometry 1. Introduction to Public Key Cryptography To understand the motivation for elliptic curve cryptography, we must first
More informationBootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation
Bootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation Katrin Hoeper and Guang Gong khoeper@engmail.uwaterloo.ca, ggong@calliope.uwaterloo.ca Department of Electrical
More informationTime-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment
Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationMessage authentication and. digital signatures
Message authentication and " Message authentication digital signatures verify that the message is from the right sender, and not modified (incl message sequence) " Digital signatures in addition, non!repudiation
More information