IEEE Draft P Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

Size: px
Start display at page:

Download "IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009"

Transcription

1 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009

2 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

3 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

4 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

5 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

6 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

7 About The Headline Identity Based Public Key Cryptography Is a type of public-key cryptography. Difference: the public-key is some unique information ID about the identity of a user. Proposed by Adi Shamir for the first time in 1984 (see [ASha84] page 47 53). Paring: mapping between groups (correct definition later). Used for: encryption (IBE), key encapsulation, signatures (and combinations).

8 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

9 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

10 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

11 About The Paper IEEE: Institute of Electrical and Electronics Engineers. P1363: Standardization project for public-key cryptography..3: Specifications for identity-based public-key cryptography using pairings. Chair of working group (as of Oct. 08): William Whyte (NTRU Cryptosystems Inc).

12 Pairing: a mathematical formalism Definition Let (G 1, +), (G 2, +), (G 3, ) be groups of prime order p N. A pairing is a Z p bilinear map e : G 1 G 2 G 3 between Z p modules for which the following holds: 1. e is non-degenerated (i. e. P 0 G1 G 1, Q 0 G2 G 2 : e(p, Q) 1 G3 ). 2. e is computable in an efficient manner.

13 Now: ID-based cryptography using the example of ID-based encryption.

14 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. A Trusted Third Party the Private Key Generator (PKG).

15 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. A Trusted Third Party the Private Key Generator (PKG).

16 Identity Based Encryption (IBE) The Participants Participants are: Sender A (want s to send message m). Receiver B (has an identification ID, e. g. A Trusted Third Party the Private Key Generator (PKG).

17 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

18 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

19 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

20 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol Algorithms of an IBE-Protocol are: Setup: run by the PKG. Returns: P a set of public parameters. s the master key (or secret server key). Extract(P, s, ID): run by the PKG (when B requests his private key). Returns: KID the private key corresponding to ID. Encrypt(P, ID, m): run by A. Returns: c the encrypted plaintext m. Decrypt(P, ID, c): run by B. Returns: m the decrypted ciphertext c.

21 Identity Based Encryption (IBE) The Algorithms Of An IBE-Protocol (cont.) Summarization: PKG runs Setup() (P, s). PKG runs Extract(P, s, ID) K ID. A runs Encrypt(P, ID, m) c. B runs Decrypt(P, ID, c) m.

22 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

23 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

24 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

25 Identity Based Encryption (IBE) Primitives Primitives: contain basic mathematical operations (building blocks for an IBE-protocol). Generation: used to extract a private key at a PKG. Verification: verification of K ID by receiver B. Encrypt and Decrypt: used inside corresponding algorithms.

26 The Protocol Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

27 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

28 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

29 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

30 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

31 The Protocol By Dan Boneh and Xavier Boyen. Security bases on Bilinear-Diffie-Hellman (BDH) Problem. As formulated in the previous section, the protocol consists of four algorithms: Setup, Extract, Encrypt and Decrypt. To this end, let G 1, G 2, G 3 be groups of prime order p N and e : G 1 G 2 G 3 a pairing. Let ID {0, 1} and plaintext m {0, 1} n.

32 The Protocol Setup PKG chooses a master key s := (s 1, s 2, s 3 ) R Z p Z p Z p. PKG generates public parameter P := (Q 1, Q 2, R, T, V, G 1, G 2, e), where Qi is a generator of G i, i = 1, 2, i. e. Q i = G i, R := s1 Q 1, T := s 3 Q 1, V := e(r, s 2 Q 2 ).

33 The Protocol Setup PKG chooses a master key s := (s 1, s 2, s 3 ) R Z p Z p Z p. PKG generates public parameter P := (Q 1, Q 2, R, T, V, G 1, G 2, e), where Qi is a generator of G i, i = 1, 2, i. e. Q i = G i, R := s1 Q 1, T := s 3 Q 1, V := e(r, s 2 Q 2 ).

34 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

35 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

36 The Protocol The primitives (knowing P and s) Generation: P-BB1-G(M) r 0 R Z p. i := s 1 s 2 + r 0 (s 1 M + s 3 ). return (iq 2, r 0 Q 2 ). Encryption: P-BB1-E(r) E 0 := rq 1. E 1 := (rm)r + rt. B := V r. return (E 0, E 1, B). Decryption: P-BB1-D(E 0, E 1, (K 0,M, K 1,M )) return e(e 0, K 0,M ) e(e 1, K 1,M ) 1.

37 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

38 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

39 The Protocol There are three algorithms left. Using the three primitives P-BB1-G, P-BB1-E, P-BB1-D we can now formulate them. Therefore: consider three Hashfunctions H 1 : {0, 1} Z p H 2 : G 3 {0, 1} n H 3 : G 3 {0, 1} n G 1 G 1 Z p

40 The Protocol Extract M := H 1 (ID). K ID := (K 0,M, K 1,M ) P-BB1-G(M). K ID is the private key for the receiver.

41 The Protocol Extract M := H 1 (ID). K ID := (K 0,M, K 1,M ) P-BB1-G(M). K ID is the private key for the receiver.

42 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

43 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

44 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

45 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

46 The Protocol Encrypt r R Z p. (B, E 0, E 1 ) P-BB1-E(r). Y := H 2 (B) m. t := r + H 3 (B, Y, E 0, E 1 ). c := (Y, E 0, E 1, t). c is the ciphertext. B is called blinding factor.

47 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

48 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

49 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

50 The Protocol Decrypt B P-BB1-D(E 0, E 1, K ID ). r := t H 3 (B, Y, E 0, E 1 ). if (B == V r and E 0 == rq 1 ) then exit with error. m := Y H 2 (B). m is the plaintext.

51 Security Of The Protocol Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion

52 Security Of The Protocol Security Definition Let e : G 1 G 2 G 3 be a pairing and P G 1, Q G 2. The Bilinear-Diffie-Hellman (BDH) Assumption says, that if P, Q, ap, bp, aq, cq for a, b, c Z p are given, then it is hard to compute e(p, Q) abc.

53 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

54 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

55 Security Of The Protocol Security (cont.) The security depends on Hashfunctions H 1, H 2, H 3. The secure channel between the receiver and the PKG. The BDH Assumption (at which point?).

56 Security Of The Protocol Security (cont.) Definition Let q Z p. Then the q Bilinear-Diffie-Hellman-Inverse (q-bdhi) Assumption says, that if (P, ap, a 2 P,..., a q P, Q, aq,..., a q Q) are given, it is hard to compute (e(p, Q) a ) 1. Definition We say, that the (t, q, ε) BDHI Assumption holds, if no t time algorithm A has advantage ε (i. e. P (A(P,..., a q P, Q,..., a q Q)) ε) in solving the q-bdhi problem.

57 Security Of The Protocol Security (cont.) Definition Let q Z p. Then the q Bilinear-Diffie-Hellman-Inverse (q-bdhi) Assumption says, that if (P, ap, a 2 P,..., a q P, Q, aq,..., a q Q) are given, it is hard to compute (e(p, Q) a ) 1. Definition We say, that the (t, q, ε) BDHI Assumption holds, if no t time algorithm A has advantage ε (i. e. P (A(P,..., a q P, Q,..., a q Q)) ε) in solving the q-bdhi problem.

58 Security Of The Protocol Security (cont.) Definition We say, that an IBE system is (t, q ID, ε)-selective identity, chosen plaintext secure (short: (t, q ID, ε) IND-sID-CPA secure) iff for every IND-sID-CPA adversary A, that makes at most q ID chosen private key queries, there is ADV A < ε, where ADV A is the advantage of A, attacking the IBE system.

59 Security Of The Protocol Security (cont.) Theorem Suppose the (t, q, ε)-bdhi Assumption holds for G 1 and G 2. Then is (t, q S, ε) IND-sID-CPA secure for any q S < q and any t < t Θ(τq 2 ), where τ is the maximum time for an exponentiation in G 1, G 2. Proof: see [BB04].

60 Advantages

61 Advantages IBE eliminates the need for a public key distribution infrastructure. No key agreement. Interesting features (e. g. encode additional information into the ID: for instance expirations dates).

62 Disadvantages

63 Disadvantages PKG may decrypt and/or sign any message without authorisation. A secure channel is required between the PKG and the receiver.

64 That s it. Thank you for your attention.

65 Anhang Literaturverzeichnis Literaturverzeichnis [P ] IEEE P1636.3/D1 Draft Standard for Identity-based Public-key Cryptography Using Pairings. Working Group of the Microprocessor Standards Committee [ASha84] Identity-Based Cryptosystems and Signature Schemes. Advances in Cryptology: Proceedings of CRYPTO 84. Adi Shamir Lecture Notes in Computer Science 7, 1984

66 Anhang Literaturverzeichnis [BB04] Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. D. Boneh, X. Boyen Advances in Cryptology Eurocrypt, 2004, Springer-Verlag (2004), pp [Wiki09] Wikipedia (DE, EN) As of: 14. Dezember 2009.

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

ID-based Cryptography and Smart-Cards

ID-based Cryptography and Smart-Cards ID-based Cryptography and Smart-Cards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only

More information

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

encryption Presented by NTU Singapore

encryption Presented by NTU Singapore A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before

More information

Threshold Identity Based Encryption Scheme without Random Oracles

Threshold Identity Based Encryption Scheme without Random Oracles WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Girish Department of PGS-CEA The National Institute of Engineering, Manadavady Road,Mysore-570008, INDIA Phaneendra

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

More information

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

More information

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK Ms. Priyanka Bubna 1, Prof. Parul Bhanarkar Jha 2 1 Wireless Communication & Computing, TGPCET/RTM

More information

A Survey of Identity-Based Cryptography

A Survey of Identity-Based Cryptography A Survey of Identity-Based Cryptography Joonsang Baek 1 Jan Newmarch 2, Reihaneh Safavi-Naini 1, and Willy Susilo 1 1 School of Information Technology and Computer Science, University of Wollongong {baek,

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Lecture 17: Re-encryption

Lecture 17: Re-encryption 600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

More information

Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015

Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015 Identity-based Encryption with Efficient Revocation Ziyang Liu May 12,2015 Overview Identity-based encryption How IBE works Simple Solution of Revocation Revocable IBE Fuzzy IBE Binary tree data structure

More information

Secure Key Issuing in ID-based Cryptography

Secure Key Issuing in ID-based Cryptography Secure Key Issuing in ID-based Cryptography Byoungcheon Lee 1,2 Colin Boyd 1 Ed Dawson 1 Kwangjo Kim 3 Jeongmo Yang 2 Seungjae Yoo 2 1 Information Security Research Centre, Queensland University of Technology,

More information

PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

More information

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh Safavi-Naini Willy Susilo Centre for Information Security Research School of Information

More information

Fuzzy Identity Based Encryption Preliminary Version

Fuzzy Identity Based Encryption Preliminary Version Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Multi-authority attribute-based encryption with honest-but-curious central authority

Multi-authority attribute-based encryption with honest-but-curious central authority International Journal of Computer Mathematics Vol. 89, No. 3, February 2012, 268 283 Multi-authority attribute-based encryption with honest-but-curious central authority Vladimir Božović a, Daniel Socek

More information

Universally Composable Identity-Based Encryption

Universally Composable Identity-Based Encryption All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of

More information

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

Hierarchical ID-Based Cryptography

Hierarchical ID-Based Cryptography Hierarchical ID-Based Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabs-usa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA

More information

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

More information

Identity based cryptography

Identity based cryptography Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

More information

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi

More information

The Journal of Systems and Software

The Journal of Systems and Software The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DL-based certificateless

More information

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method E.Sathiyamoorthy 1, S.S.Manivannan 2 1&2 School of Information Technology and Engineering

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

The Feasibility of SET-IBS and SET-IBOOS Protocols in Cluster-Based Wireless Sensor Network

The Feasibility of SET-IBS and SET-IBOOS Protocols in Cluster-Based Wireless Sensor Network The Feasibility of SET-IBS and SET-IBOOS Protocols in Cluster-Based Wireless Sensor Network R.Anbarasi 1, S.Gunasekaran 2 P.G. Student, Department of Computer Engineering, V.S.B Engineering College, Karur,

More information

ΕΠΛ 674: Εργαστήριο 3

ΕΠΛ 674: Εργαστήριο 3 ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science Private-Key Cryptography traditional private/secret/single key cryptography uses one key

More information

Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key

More information

VoteID 2011 Internet Voting System with Cast as Intended Verification

VoteID 2011 Internet Voting System with Cast as Intended Verification VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could

More information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks. By Abdulaziz Alrasheed and Fatima RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems The 28th International Conference on Distributed Computing Systems Workshops A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems Zhong Xu Xue Liu School of Computer Science McGill

More information

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Ciphertext-Auditable Identity-based Encryption

Ciphertext-Auditable Identity-based Encryption International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

More information

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

More information

Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

More information

CS Computer and Network Security: Applied Cryptography

CS Computer and Network Security: Applied Cryptography CS 5410 - Computer and Network Security: Applied Cryptography Professor Patrick Traynor Spring 2016 Reminders Project Ideas are due on Tuesday. Where are we with these? Assignment #2 is posted. Let s get

More information

A Study on Asymmetric Key Cryptography Algorithms

A Study on Asymmetric Key Cryptography Algorithms A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography

Announcements. CS243: Discrete Structures. More on Cryptography and Mathematical Induction. Agenda for Today. Cryptography Announcements CS43: Discrete Structures More on Cryptography and Mathematical Induction Işıl Dillig Class canceled next Thursday I am out of town Homework 4 due Oct instead of next Thursday (Oct 18) Işıl

More information

In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

More information

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography

Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Strengthen Cloud Computing Security with Federal Identity Management Using Hierarchical Identity-Based Cryptography Liang Yan, Chunming Rong, and Gansen Zhao University of Stavanger, Norway {liang.yan,chunming.rong}@uis.no

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Public-Key Cryptography. Oregon State University

Public-Key Cryptography. Oregon State University Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

More information

Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA. Review: Number Theory Basics Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Lecture 6 - Cryptography

Lecture 6 - Cryptography Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

More information

Strengthen RFID Tags Security Using New Data Structure

Strengthen RFID Tags Security Using New Data Structure International Journal of Control and Automation 51 Strengthen RFID Tags Security Using New Data Structure Yan Liang and Chunming Rong Department of Electrical Engineering and Computer Science, University

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

Public Key Encryption with Keyword Search Revisited

Public Key Encryption with Keyword Search Revisited Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Identity-Based Key Agreement and Encryption For Wireless Sensor Networks

Identity-Based Key Agreement and Encryption For Wireless Sensor Networks 182 IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.5B, May 2006 Identity-Based Key Agreement and Encryption For Wireless Sensor Networks Geng Yang 1, Chunming Rong 2, Christian

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Identity-Based Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 94305-9045 dabo@cs.stanford.edu 2 Computer Science Department,

More information

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption

E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption Journal of Computer Science 6 (7): 723-727, 2010 ISSN 1549-3636 2010 Science Publications E-Visas Verification Schemes Based on Public-Key Infrastructure and Identity Based Encryption Najlaa A. Abuadhmah,

More information

A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM

A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM Konuralp Journal of Mathematics Volume 4 No. 1 pp. 122 129 (2016) c KJM A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM EMİN AYGÜN AND ERKAM LÜY Abstract. The

More information

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

More information

Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetric-key cryptography. Distinguish

More information

Acknowledgements. Notations and abbreviations

Acknowledgements. Notations and abbreviations Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity- Based Encryption schemes as an error-tolerant version of Identity-Based Encryption schemes, along with

More information

Chapter 9 Public Key Cryptography and RSA

Chapter 9 Public Key Cryptography and RSA Chapter 9 Public Key Cryptography and RSA Cryptography and Network Security: Principles and Practices (3rd Ed.) 2004/1/15 1 9.1 Principles of Public Key Private-Key Cryptography traditional private/secret/single

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

More information

Metered Signatures - How to restrict the Signing Capability -

Metered Signatures - How to restrict the Signing Capability - JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL.?, NO.?, 1 Metered Signatures - How to restrict the Signing Capability - Woo-Hwan Kim, HyoJin Yoon, and Jung Hee Cheon Abstract: We propose a new notion of metered

More information

The mathematics of cryptology

The mathematics of cryptology The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/ gunnells April 27, 2004 What is Cryptology?

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication

More information

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes

A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes A chosen text attack on the RSA cryptosystem and some discrete logarithm schemes Y. Desmedt Aangesteld Navorser NFWO Katholieke Universiteit Leuven Laboratorium ESAT B-3030 Heverlee, Belgium A. M. Odlyzko

More information

Provably Secure Cryptography: State of the Art and Industrial Applications

Provably Secure Cryptography: State of the Art and Industrial Applications Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services French-Japanese Joint Symposium on Computer Security Outline

More information

On the Difficulty of Software Key Escrow

On the Difficulty of Software Key Escrow On the Difficulty of Software Key Escrow Lars R. Knudsen and Torben P. Pedersen Katholieke Universiteit Leuven, Belgium, email: knudsen@esat.kuleuven.ac.be Cryptomathic, Denmark, email: tpp@cryptomathic.aau.dk

More information

Hierarchical ID-Based Cryptography

Hierarchical ID-Based Cryptography Hierarchical ID-Based Cryptography Craig Gentry 1 and Alice Silverberg 2, 1 DoCoMo USA Labs, San Jose, CA, USA, cgentry@docomolabs-usa.com 2 Department of Mathematics, Ohio State University, Columbus,

More information

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

More information

Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

More information

Identity-based Cryptography. Liqun Chen Hewlett-Packard Laboratories

Identity-based Cryptography. Liqun Chen Hewlett-Packard Laboratories Identity-based Cryptography Liqun Chen Hewlett-Packard Laboratories liqun.chen@hp.com 1 What will be covered in this lecture Basic concept of identity-based cryptography (IBC) Examples of IBC mechanisms

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

More information

RHIBE: Constructing Revocable Hierarchical ID-Based Encryption from HIBE

RHIBE: Constructing Revocable Hierarchical ID-Based Encryption from HIBE INFOMATICA, 2014, Vol. 25, No. 2, 299 326 299 2014 Vilnius University DOI: http://dx.doi.org/10.15388/informatica.2014.16 HIBE: Constructing evocable Hierarchical ID-Based Encryption from HIBE Tung-Tso

More information

Lightweight Encryption for Email

Lightweight Encryption for Email Lightweight Encryption for Email Ben Adida MIT ben@mit.edu Susan Hohenberger MIT srhohen@mit.edu Ronald L. Rivest MIT rivest@mit.edu Abstract Email encryption techniques have been available for more than

More information

Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography

Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption

More information

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings Theoretical and Applied Informatics ISSN 896 5334 Vol.24 (202), no. 2 pp. 09 8 DOI: 0.2478/v079-02-0009-0 An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings

More information

Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography

Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography 2010 International Conference on Availability, Reliability and Security Unified Public Key Infrastructure Supporting Both Certificate-based and ID-based Cryptography Byoungcheon Lee Dept. of Information

More information

The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

More information