Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Size: px
Start display at page:

Download "Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings"

Transcription

1 Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung, Shota Yamada AIST, 2015

2 Our Main Results in One Slide Instantiations: The first fully secure Generic dual conversion for ABE CP-ABE with short key CP-ABE all-unbounded (for boolean formulae, span programs)

3 1 Introduction

4 Attribute Based Encryption (ABE) ABE for predicate R: X Y {0,1} Key for x X Decrypt Ciphertext for y Y (encrypt m) m? if R(x,y)=1 if R(x,y)=0

5 A Predicate Its Dual Predicate R: X Y {0,1} R: Y X {0,1} R(y,x) := R(x,y)

6 Key-Policy ABE Ciphertext-Policy ABE R: P A {0,1} R: A P {0,1} Key for Ciphertext for Key for Ciphertext for policy p P attribute a A attribute a A policy p P R(p,a) iff p satisfies a R(a,p) iff p satisfies a

7 Motivation KP-ABE, CP-ABE Definitions: directly related. Constructions: NO known relation. Can we generically convert an ABE to its dual? So that we would only construct KP, and get also CP. Might be difficult? Historically, CP [BSW07, Waters11] was harder to achieve than KP [GPSW06].

8 Related Work for Dual Conversion Converting KP-ABE for boolean formulae predicate Small classes of predicates Its dual CP: only for bounded-size formulae [GJPS08]. Converting KP-ABE for all boolean circuits Implies general predicates, but must start with ABE for circuits. Its dual CP: only for bounded-size circuits [GGHSW13]. Due to the use of universal circuits. Summary: less expressivity, and much less efficient.

9 Our Focus Goal: Generic dual conversion for any predicate. Preserving full security, expressivity, and efficiency. Tool: Use a generic ABE framework of [A14]. An abstraction of dual-system encryption [Waters09] for achieving fully-secure ABE. [A14] N. Attrapadung, Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More, Eurocrypt 2014.

10 2 Our Result Overview

11 Our Main Result: Dual Conversion Fully secure ABE for arbitrary R Generic Conversion Fully secure ABE for its dual, R Restricted to ABE In the pair encoding framework [A14].

12 Recall The Pair Encoding Framework Main Theorem in [A14] Pair Encoding for predicate R Generic Conversion Fully secure ABE for R If pair encoding is Perfectly secure or Doubly selectively secure.

13 Our Main Result: More Precisely Doubly selective pair encoding for arbitrary R Generic Conversion Doubly selective pair encoding for its dual, R

14 The Only Previous Dual Conversion A Side Result in [A14] Perfectly secure pair encoding for arbitrary R Generic Conversion Perfectly secure pair encoding for its dual, R

15 Implications: Solving Open Problems Perfectly secure encodings known KP, CP boolean formula with some bounds [LOSTW10, W14, A14] spatial, inner-product, No fully-secure ABE known before Doubly selective encodings known KP unbounded boolean formula KP short-ciphertext for boolean formula KP over doubly-spatial KP regular languages CP regular languages [all in A14] [NEW! all implied by this work] CP unbounded boolean formula CP short-key for boolean formula CP over doublyspatial

16 3 Recall Pair Encoding

17 Recall Pair Encoding and ABE [A14] Pair Encoding for R ABE for R Param h PK=(g 1 h, e(g 1,g 1 ) α ), MSK=α Enc1(x) k x (α,r,h) SK=g 1 kx(α,r,h) Enc2(y) c y (s,h) CT=(g 1 cy(s,h), e(g 1,g 1 ) αs 0 M) Pair(k x,c y ) αs 0 Dec e(g 1,g 1 ) αs 0 if R(x,y)=1 if R(x,y)=1 s 0 = first entry in s. Require some linearity properties. Use composite-order bilinear groups. (Neglect details here).

18 Security Definitions of Pair Encoding Perfect security Identical (info-theoretic) { k x (0, r, h) k x (α, r, h) c y ( s,h) for R(x,y)=0 Doubly selective security Cannot distinguish { g 2 k x(0, r,h) g 2 kx(α, r,h) g 2 cy( s,h) for R(x,y)=0 Selective notion: queries c before k. Co-selective notion: queries k before c. ( then ) ( then )

19 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

20 4 Our Conversion

21 Basic Idea for Dual Conversion Encoding for R Encoding for R Enc1 maps x X Enc1 maps y Y defined using Enc2 Enc2 maps y Y Enc2 maps x X defined using Enc1

22 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) where s = s r = (s 0, r)

23 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) Pair(k x,c y ) = αs 0 Pair: Pair(k x,c y ) = bs 0 s 0 (α+bs 0 ) (s 0 ) - bs 0 s 0 = αs 0 where s = s r = (s 0, r)

24 Our Dual Conversion The same conversion as in [A14]. [A14] only proved for the perfectly secure encodings. We make it work also for doubly secure encodings.

25 Our New Theorems Encoding for R is selective then Encoding for R is co-selective Encoding for R is co-selective then Encoding for R is selective Intuition: Swap key/cipher encodings Query order is reversed. Hence selective becomes co-selective (and vice versa).

26 Difficulty in Proving Theorems Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

27 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

28 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) { k y (0,s,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Goal: to prove IND here. But it totally differs from k x. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

29 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

30 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

31 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

32 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) But this becomes unknown, too. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

33 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

34 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

35 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α cancellation of two unknowns! Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

36 New Instantiations KP-ABE [A14] all-unbounded for span programs Apply Conversion CP-ABE all-unbounded for span programs KP-ABE [A14] short-ciphertext for span programs Apply Conversion CP-ABE short-key for span programs Doubly selective secure under some Extended DH Exponent assumptions [A14].

37 5 Concluding Remarks

38 More Results Dual-Policy ABE Conjunctively combine ABE and its dual [AI09]. We also provide a conversion from ABE to DP-ABE. More refinement: New specific CP-ABE with tighter reduction. Full version at

39 Thank you

40 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

41 Revocable Hierarchical Identity-Based Encryption: History-Free Update, Security Against Insiders, and Short Ciphertexts 1 2 Jae Hong Seo and Keita Emura 1. Myongji University, Korea 2. NICT, Japan #RSAC

42 Contents #RSAC Identity-based encryption with revocation (RIBE) Trivial Way (by Boneh and Franklin 2001) Scalable construction (by Boldyreva, Goyal, and Kumar, 2008) Revocable Hierarchical IBE (RHIBE): CT-RSA 2013, Seo and Emura History-preserving updates approach Security against outsider Long-size ciphertext (ciphertext size depends on the level of hierarchy) Our RHIBE Constructions History-free updates approach Security against insider Constant-size ciphertext (in terms of the hierarchy level) 2

43 #RSAC Identity-Based Encryption and Revocation 3

44 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Issue sk Enc(mpk,, M) Sender Receiver 4

45 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Enc(mpk,, M) Issue sk How to revoke Bob s secret key? Sender Receiver 5

46 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Sender 6 Receiver

47 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Enc(mpk, T, M) Sender Receiver 7

48 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Issue sk T if is not revoked on time T. Enc(mpk, T, M) Sender Receiver 8

49 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity Sender KGC Issue sk if is not revoked on time T. Problem: The overhead on KGC is Enc(mpk, T, M) linearly increased in the number of users (O(N-R)) 9 T Receiver

50 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download KGC Issue sk Enc(mpk,, T, M) Sender Receiver 10

51 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Enc(mpk,, T, M) Sender Receiver 11

52 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 12 Receiver

53 Revocation Capability in IBE: Boldyreva et al. Only log-size Overhead!! (NNL: Naor-Naor-Lotspiech, O(Rlog(N/R))) Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk #RSAC Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 13 Receiver

54 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC Each user is assigned to a node u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 We consider a binary tree kept by KGC 14

55 Broadcast Encryption (BE) Technique Complete Subtree (CS) Each user is issued secret keys on the path to the root node by KGC (sk ) #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 15

56 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 16

57 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 17

58 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 18

59 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users Contain node information which is determined by who will be revoked #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 19

60 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC From log N size public information ku T, only non-revoked users can extract useful information. dk T sk and ku T u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 20

61 Scalable Revocable IBE First construction A. Boldyreva, V. Goyal, and V. Kumar. Identity-based encryption with efficient revocation. In ACM CCS 2008 First adaptive secure scheme B. Libert and D. Vergnaud. Adaptive-ID secure revocable identity-based encryption. In CT-RSA Considering decryption key exposure resistance J. H. Seo and K. Emura. Revocable identity-based encryption revisited: Security model and construction. In PKC An adversary is allowed to obtain #RSAC SD-based construction K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132,

62 #RSAC Revocable Hierarchical IBE (RHIBE) 22

63 Revocable Hierarchical IBE (RHIBE) A low-level user can stay in the system only if her parent also stays in the current time period. subkey 1 First-level users have O(log N)-size KGC secret key (as in RIBE) skid 1 = subkey logn Second-level users have log N subkeys for each parent's subkey (in total (log N) 2 -size subkeys) skid 2 = subkey 1 *subkey 1 #RSAC subkey 1 *subkey logn One of subkeys will be used for computing kut. subkey logn *subley logn Trivial combination of RIBE and HIBE will result in an impractical scheme with an exponential number of secret keys 23

64 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) skid 2 = Asymmetric trade between secret key size and generating time for secret key A parent gives half-computed subkeys, and children generate suitable subkeys subkey 1 *subkey 1 subkey 1 *subkey logn subkey logn *subley logn (log N) 2 -size subkeys skid 2 = subkey 1 subkey logn subkey 1 Product of partial keys (log N) 2 -size subkeys subkey logn 2(log N)-size half-computed subkeys #RSAC 24

65 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) Asymmetric trade between secret key size and generating time for History-preserving secret key key updates For the A parent calculation, gives a half-computed child needs to know subkeys, and children generate suitable which subkeys partial key of the ancestor was used in each time period. Product of subkey 1 *subkey subkey 1 1 partial keys skid Such 2 = information subkey 1 *subkey is also announced in the subkey logn logn skid 2 = (log N) subkey 2 -size key updates 1 subkeys subkey logn *subley logn subkey logn (log N) 2 -size subkeys 2(log N)-size half-computed subkeys #RSAC 25

66 Our Contribution History-Free Update Low-level users do not need to know what ancestors did during key updates. Security Against Insiders An adversary is allowed to obtain state information Short Ciphertexts Constant-size ciphertext in terms of the level of hierarchy Two constructions: Shorter secret keys and ciphertexts Complete Subtree (CS) Subset Difference (SD) KGC #RSAC 26

67 Main Idea for History-Free Update R(H)IBE: KGC (or a parent user) issues a long-term secret key sk ID using msk (or sk parent-id ). KGC (or a parent user) broadcasts key update information ku T which is computed by msk (or sk parent-id ). A (child) user can generate the decryption key dk ID,T from sk ID and ku T if he/she is not revoked at time T. Two situations are equivalent: A user ID is not revoked at time T The user can generate the decryption key dk ID,T Re-define the key update algorithm #RSAC 27

68 Main Idea for History-Free Update Previous syntax #RSAC Our modification No parent secret key is required (for history-free approach) State information takes a role of the delegation key dk is used instead of sk and ku 28

69 Main Idea for History-Free Update Previous syntax #RSAC Our modification The secret key is used only for generating the decryption key dk. No parent secret key is required (for history-free approach) State information takes a role of the delegation key Low-level users do not need to know what ancestors did during key updates. dk is used instead of sk and ku 29

70 Proposed RHIBE Scheme (CS) Based on the BBG HIBE scheme BBG HIBE (ID) + Boneh-Boyen IBE (Time) Give a reduction to the BBG HIBE scheme. [BBG05] Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. EUROCRYPT (Boneh-Boyen hash) If ID k is not revoked, then there exists the same θ (CS method) #RSAC BBG HIBE (ID) 30 BB IBE (Time) With re-randomization for decryption key exposure resistance

71 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC 31 revoked

72 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC Key Update info contains information about a point f v 3 (w ) 32 revoked

73 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) 33 revoked

74 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) Using Lagrange interpolation, u3 can recover f v 3 (x) but u5 and u6 do not. 34 revoked

75 Proposed RHIBE Scheme (SD) #RSAC The main part is the same as that of the LLP RIBE scheme. K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132, One difference is: we introduce the false master key for historyfree construction so that sk does not contain the master key α See the paper for details 35

76 Comparison #RSAC 36

77 Comparison #RSAC DBDH q-weak Bilinear Diffie-Hellman Inversion 37

78 Conclusion and Future work #RSAC RHIBE: History-free update, insider security, short ciphertext, and DKER The reduction to the underlying HIBE requires the challenge identity for the security proof. Adaptive-ID secure RHIBE under a static assumption with these desirable properties 38

encryption Presented by NTU Singapore

encryption Presented by NTU Singapore A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before

More information

Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015

Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015 Identity-based Encryption with Efficient Revocation Ziyang Liu May 12,2015 Overview Identity-based encryption How IBE works Simple Solution of Revocation Revocable IBE Fuzzy IBE Binary tree data structure

More information

Categorical Heuristic for Attribute Based Encryption in the Cloud Server

Categorical Heuristic for Attribute Based Encryption in the Cloud Server Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

More information

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

More information

Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)

Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam) Identity-Based Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam) Public-key encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2 Identity-based encryption

More information

Functional Encryption. Lecture 27

Functional Encryption. Lecture 27 Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data,

More information

Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography

Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption

More information

Identity-based Encryption with Efficient Revocation

Identity-based Encryption with Efficient Revocation A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption

More information

RHIBE: Constructing Revocable Hierarchical ID-Based Encryption from HIBE

RHIBE: Constructing Revocable Hierarchical ID-Based Encryption from HIBE INFOMATICA, 2014, Vol. 25, No. 2, 299 326 299 2014 Vilnius University DOI: http://dx.doi.org/10.15388/informatica.2014.16 HIBE: Constructing evocable Hierarchical ID-Based Encryption from HIBE Tung-Tso

More information

Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,

More information

Lecture 17: Re-encryption

Lecture 17: Re-encryption 600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

More information

Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

More information

Threshold Identity Based Encryption Scheme without Random Oracles

Threshold Identity Based Encryption Scheme without Random Oracles WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

More information

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

More information

Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation

Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation Nuttapong Attrapadung 1 and Benoît Libert 2 1 Research Center

More information

A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

More information

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE Reshma Mary Abraham and P. Sriramya Computer Science Engineering, Saveetha University, Chennai, India E-Mail: reshmamaryabraham@gmail.com

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage Abstract: Cloud computing is one of the emerge technologies. To protect the data and privacy of users the access

More information

Adaptive-ID Secure Revocable Identity-Based Encryption

Adaptive-ID Secure Revocable Identity-Based Encryption Adaptive-ID Secure Revocable Identity-Based Encryption Benoît Libert 1 and Damien Vergnaud 2 1 Université Catholique de Louvain, Microelectronics Laboratory, Crypto Group Place du Levant, 3 1348 Louvain-la-Neuve

More information

CP-ABE Based Encryption for Secured Cloud Storage Access

CP-ABE Based Encryption for Secured Cloud Storage Access International Journal of Scientific & Engineering Research, Volume 3, Issue 9, September-2012 1 CP-ABE Based Encryption for Secured Cloud Storage Access B. Raja Sekhar,B. Sunil Kumar, L. Swathi Reddy,

More information

CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION

CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION Chandrala DN 1, Kulkarni Varsha 2 1 Chandrala DN, M.tech IV sem,department of CS&E, SVCE, Bangalore 2 Kulkarni Varsha, Asst. Prof.

More information

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

More information

Lecture 2 August 29, 13:40 15:40

Lecture 2 August 29, 13:40 15:40 Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous

More information

Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud

Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud 1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume

More information

Identity based cryptography

Identity based cryptography Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

More information

ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION

ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION Bull. Korean Math. Soc. 46 (2009), No. 4, pp. 803 819 DOI 10.4134/BKMS.2009.46.4.803 ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION Sascha Müller, Stefan Katzenbeisser, and Claudia Eckert

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters Abstract As more sensitive data is shared and stored by third-party sites

More information

Anonymity and Time in Public-Key Encryption

Anonymity and Time in Public-Key Encryption Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

More information

Attribute-Based Broadcast Encryption Scheme Made Efficient

Attribute-Based Broadcast Encryption Scheme Made Efficient Attribute-Based Broadcast Encryption Scheme Made Efficient David Lubicz Thomas Sirvent D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 1 / 23 Outline

More information

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK Ms. Priyanka Bubna 1, Prof. Parul Bhanarkar Jha 2 1 Wireless Communication & Computing, TGPCET/RTM

More information

Role Based Encryption with Efficient Access Control in Cloud Storage

Role Based Encryption with Efficient Access Control in Cloud Storage Role Based Encryption with Efficient Access Control in Cloud Storage G. V. Bandewar 1, R. H. Borhade 2 1 Department of Information Technology, Sinhgad Technical Education Society s SKNCOE, Pune, India

More information

ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption

ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Yevgeniy Dodis Anna Lysyanskaya Abstract A forward-secure encryption scheme

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

Data management using Virtualization in Cloud Computing

Data management using Virtualization in Cloud Computing Data management using Virtualization in Cloud Computing A.S.R. Krishna Kanth M.Tech (CST), Department of Computer Science & Systems Engineering, Andhra University, India. M.Sitha Ram Research Scholar Department

More information

Achieving Fine-grained Access Control for Secure Data Sharing on Cloud Servers

Achieving Fine-grained Access Control for Secure Data Sharing on Cloud Servers CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2000; 00:1 7 [Version: 2002/09/19 v2.02] Achieving Fine-grained Access Control for Secure Data Sharing on Cloud

More information

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication

More information

Wildcarded Identity-Based Encryption

Wildcarded Identity-Based Encryption Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Identity Based Encryption: An Overview

Identity Based Encryption: An Overview Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.

More information

1 Pseudorandom Permutations

1 Pseudorandom Permutations Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

More information

Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

More information

Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud

Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud I.sriram murthy 1 N.Jagajeevan 2 II M-Tech student Assistant.Professor Department of computer science & Engineering Department of

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

ID-based Cryptography and Smart-Cards

ID-based Cryptography and Smart-Cards ID-based Cryptography and Smart-Cards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only

More information

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy

More information

Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health Records Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution

More information

The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

More information

An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment Based on RSA Signature Assumption

An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment Based on RSA Signature Assumption Bonfring International Journal of Research in Communication Engineering, Vol. 2, No. 3, September 2012 1 An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment

More information

KEY-POLICY ATTRIBUTE BASED ENCRYPTION TO SECURE DATA STORED IN CLOUD

KEY-POLICY ATTRIBUTE BASED ENCRYPTION TO SECURE DATA STORED IN CLOUD KEY-POLICY ATTRIBUTE BASED ENCRYPTION TO SECURE DATA STORED IN CLOUD C.Vinoth 1, G.R.Anantha Raman 2 1 Computer Science and Engineering,ACE Hosur(India) 2 Assistant Professor, Computer Science and Engineering,

More information

Data Sharing on Untrusted Storage with Attribute-Based Encryption

Data Sharing on Untrusted Storage with Attribute-Based Encryption Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements

More information

Lightweight Encryption for Email

Lightweight Encryption for Email Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the

More information

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

More information

Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

More information

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh Safavi-Naini Willy Susilo Centre for Information Security Research School of Information

More information

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

More information

Identity-Based Encryption

Identity-Based Encryption Identity-Based ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Public-key encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow

More information

An Efficiently Subcontracted the Identity-Based Encryption for Revocation in Cloud Computing

An Efficiently Subcontracted the Identity-Based Encryption for Revocation in Cloud Computing An Efficiently Subcontracted the Identity-Based Encryption for Revocation in Cloud Computing Soujanya M A 1, Lalitha L A 2 1 School of Computing and Information Technology, M. Tech, Reva University, Bangalore,

More information

Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption

Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption Abstract: Charan 1, K Dinesh Kumar 2, D Arun Kumar Reddy 3 1 P.G Scholar, 2 Assistant Professor, 3 Associate Professor 1,2,3

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of

More information

Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Outsourcing the Decryption of ABE Ciphertexts Matthew Green Johns Hopkins University Susan Hohenberger Johns Hopkins University Brent Waters University of Texas at Austin Abstract Attribute-based encryption

More information

Notes on Network Security Prof. Hemant K. Soni

Notes on Network Security Prof. Hemant K. Soni Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

More information

An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud

An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud T.Vijayalakshmi 1, Balika J Chelliah 2,S.Alagumani 3 and Dr.J.Jagadeesan 4 1 PG

More information

COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

More information

Key Refreshing in Identity-based Cryptography and its Application in MANETS

Key Refreshing in Identity-based Cryptography and its Application in MANETS Key Refreshing in Identity-based Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20

More information

Privacy, Discovery, and Authentication for the Internet of Things

Privacy, Discovery, and Authentication for the Internet of Things Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Attributed-based Access Control for Multi-Authority Systems in Cloud Storage

Attributed-based Access Control for Multi-Authority Systems in Cloud Storage 2012 32nd IEEE International Conference on Distributed Computing Systems Attributed-based Access Control for Multi-Authority Systems in Cloud Storage Kan Yang Department of Computer Science City University

More information

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California,

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Berkeley, CA 1 Summer School Objectives Exposure to current

More information

Decentralized Access Control Schemes for Data Storage on Cloud

Decentralized Access Control Schemes for Data Storage on Cloud Computer Science and Engineering 2016, 6(1): 1-6 DOI: 10.5923/j.computer.20160601.01 Decentralized Access Control Schemes for Data Storage on Cloud Shraddha V. Mokle *, Nuzhat F. Shaikh Department of Computer

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

RSA Cryptosystem. Yufei Tao. Department of Computer Science and Engineering Chinese University of Hong Kong. RSA Cryptosystem

RSA Cryptosystem. Yufei Tao. Department of Computer Science and Engineering Chinese University of Hong Kong. RSA Cryptosystem Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong In this lecture, we will discuss the RSA cryptosystem, which is widely adopted as a way to encrypt a message, or

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Property-Based Broadcast Encryption for Multi-level Security Policies

Property-Based Broadcast Encryption for Multi-level Security Policies Property-Based Broadcast Encryption for Multi-level Security Policies André Adelsbach, Ulrich Huber, and Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security, Ruhr Universität Bochum, Germany Eighth

More information

C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things

C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things Lyes Touati, Yacine Challal, Abdelmadjid Bouabdallah To cite this version: Lyes Touati, Yacine Challal, Abdelmadjid

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1 ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

More information

Oblivious Transfer. Sven Laur University of Tartu

Oblivious Transfer. Sven Laur University of Tartu Oblivious Transfer Sven Laur swen@math.ut.ee University of Tartu Ideal implementation b x 0, x 1 b x 0, x 1 x b Ideal ( 2 1) -OT The protocol is always carried out between a client P 1 and a sender P 2.

More information

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

More information

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method E.Sathiyamoorthy 1, S.S.Manivannan 2 1&2 School of Information Technology and Engineering

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Proofs in Cryptography

Proofs in Cryptography Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly

More information

Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

More information