# Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings

Save this PDF as:

Size: px
Start display at page:

Download "Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings"

## Transcription

1 Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung, Shota Yamada AIST, 2015

2 Our Main Results in One Slide Instantiations: The first fully secure Generic dual conversion for ABE CP-ABE with short key CP-ABE all-unbounded (for boolean formulae, span programs)

3 1 Introduction

4 Attribute Based Encryption (ABE) ABE for predicate R: X Y {0,1} Key for x X Decrypt Ciphertext for y Y (encrypt m) m? if R(x,y)=1 if R(x,y)=0

5 A Predicate Its Dual Predicate R: X Y {0,1} R: Y X {0,1} R(y,x) := R(x,y)

6 Key-Policy ABE Ciphertext-Policy ABE R: P A {0,1} R: A P {0,1} Key for Ciphertext for Key for Ciphertext for policy p P attribute a A attribute a A policy p P R(p,a) iff p satisfies a R(a,p) iff p satisfies a

7 Motivation KP-ABE, CP-ABE Definitions: directly related. Constructions: NO known relation. Can we generically convert an ABE to its dual? So that we would only construct KP, and get also CP. Might be difficult? Historically, CP [BSW07, Waters11] was harder to achieve than KP [GPSW06].

8 Related Work for Dual Conversion Converting KP-ABE for boolean formulae predicate Small classes of predicates Its dual CP: only for bounded-size formulae [GJPS08]. Converting KP-ABE for all boolean circuits Implies general predicates, but must start with ABE for circuits. Its dual CP: only for bounded-size circuits [GGHSW13]. Due to the use of universal circuits. Summary: less expressivity, and much less efficient.

9 Our Focus Goal: Generic dual conversion for any predicate. Preserving full security, expressivity, and efficiency. Tool: Use a generic ABE framework of [A14]. An abstraction of dual-system encryption [Waters09] for achieving fully-secure ABE. [A14] N. Attrapadung, Dual System Encryption via Doubly Selective Security: Framework, Fully-secure Functional Encryption for Regular Languages, and More, Eurocrypt 2014.

10 2 Our Result Overview

11 Our Main Result: Dual Conversion Fully secure ABE for arbitrary R Generic Conversion Fully secure ABE for its dual, R Restricted to ABE In the pair encoding framework [A14].

12 Recall The Pair Encoding Framework Main Theorem in [A14] Pair Encoding for predicate R Generic Conversion Fully secure ABE for R If pair encoding is Perfectly secure or Doubly selectively secure.

13 Our Main Result: More Precisely Doubly selective pair encoding for arbitrary R Generic Conversion Doubly selective pair encoding for its dual, R

14 The Only Previous Dual Conversion A Side Result in [A14] Perfectly secure pair encoding for arbitrary R Generic Conversion Perfectly secure pair encoding for its dual, R

15 Implications: Solving Open Problems Perfectly secure encodings known KP, CP boolean formula with some bounds [LOSTW10, W14, A14] spatial, inner-product, No fully-secure ABE known before Doubly selective encodings known KP unbounded boolean formula KP short-ciphertext for boolean formula KP over doubly-spatial KP regular languages CP regular languages [all in A14] [NEW! all implied by this work] CP unbounded boolean formula CP short-key for boolean formula CP over doublyspatial

16 3 Recall Pair Encoding

17 Recall Pair Encoding and ABE [A14] Pair Encoding for R ABE for R Param h PK=(g 1 h, e(g 1,g 1 ) α ), MSK=α Enc1(x) k x (α,r,h) SK=g 1 kx(α,r,h) Enc2(y) c y (s,h) CT=(g 1 cy(s,h), e(g 1,g 1 ) αs 0 M) Pair(k x,c y ) αs 0 Dec e(g 1,g 1 ) αs 0 if R(x,y)=1 if R(x,y)=1 s 0 = first entry in s. Require some linearity properties. Use composite-order bilinear groups. (Neglect details here).

18 Security Definitions of Pair Encoding Perfect security Identical (info-theoretic) { k x (0, r, h) k x (α, r, h) c y ( s,h) for R(x,y)=0 Doubly selective security Cannot distinguish { g 2 k x(0, r,h) g 2 kx(α, r,h) g 2 cy( s,h) for R(x,y)=0 Selective notion: queries c before k. Co-selective notion: queries k before c. ( then ) ( then )

19 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

20 4 Our Conversion

21 Basic Idea for Dual Conversion Encoding for R Encoding for R Enc1 maps x X Enc1 maps y Y defined using Enc2 Enc2 maps y Y Enc2 maps x X defined using Enc1

22 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) where s = s r = (s 0, r)

23 Our Dual Conversion Encoding for R Encoding for R Param h Param h = (h,b) Enc1 k x (α,r,h) Enc1 k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2 c y (s,h) Enc2 c x (r,h) = ( k x (bs 0,r,h), s 0 ) Pair(k x,c y ) = αs 0 Pair: Pair(k x,c y ) = bs 0 s 0 (α+bs 0 ) (s 0 ) - bs 0 s 0 = αs 0 where s = s r = (s 0, r)

24 Our Dual Conversion The same conversion as in [A14]. [A14] only proved for the perfectly secure encodings. We make it work also for doubly secure encodings.

25 Our New Theorems Encoding for R is selective then Encoding for R is co-selective Encoding for R is co-selective then Encoding for R is selective Intuition: Swap key/cipher encodings Query order is reversed. Hence selective becomes co-selective (and vice versa).

26 Difficulty in Proving Theorems Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

27 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

28 Difficulty in Proving Theorems Encoding for R Encoding for R { k x (0,r,h) { k y (0,s,h) Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Given IND here Goal: to prove IND here. But it totally differs from k x. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

29 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) (all terms over the exponent)

30 Proof Idea Encoding for R Encoding for R Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

31 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

32 Proof Idea Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) But this becomes unknown, too. Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

33 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

34 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

35 Proof Idea: Cancellation Trick Encoding for R Encoding for R SI M define α on unknown α cancellation of two unknowns! Enc1: k x (α,r,h) Enc1: k y (α,s,h) = ( c y (s,h), α+bs 0 ) SI M define b on unknown α Enc2: c y (s,h) Enc2: c x (r,h) = ( k x (bs 0,r,h), s 0 ) Sim Adv SI M attacks Enc attacks Enc (all terms over the exponent)

36 New Instantiations KP-ABE [A14] all-unbounded for span programs Apply Conversion CP-ABE all-unbounded for span programs KP-ABE [A14] short-ciphertext for span programs Apply Conversion CP-ABE short-key for span programs Doubly selective secure under some Extended DH Exponent assumptions [A14].

37 5 Concluding Remarks

38 More Results Dual-Policy ABE Conjunctively combine ABE and its dual [AI09]. We also provide a conversion from ABE to DP-ABE. More refinement: New specific CP-ABE with tighter reduction. Full version at

39 Thank you

40 Intuition Behind Pair Encoding Security Switch Keys from Normal to Semi-functional [A14] normal K semi-1 K1 semi-2 K2 g 1 k(α,r,h) ᐧg 2 k(0,0,0) g k(α,r,h) ᐧg ^ k(0, r,h) ^ 1 2 g k(α,r,h) ᐧg ^ ^ k(α, r,h) ^ 1 2 Subgroup Decision Security of encoding 1 2 semi-3 K3 ^ g 1 k(α,r,h) ᐧg 2 k(α,0,0) Subgroup Decision Only for self-containment, will not use here.

41 Revocable Hierarchical Identity-Based Encryption: History-Free Update, Security Against Insiders, and Short Ciphertexts 1 2 Jae Hong Seo and Keita Emura 1. Myongji University, Korea 2. NICT, Japan #RSAC

42 Contents #RSAC Identity-based encryption with revocation (RIBE) Trivial Way (by Boneh and Franklin 2001) Scalable construction (by Boldyreva, Goyal, and Kumar, 2008) Revocable Hierarchical IBE (RHIBE): CT-RSA 2013, Seo and Emura History-preserving updates approach Security against outsider Long-size ciphertext (ciphertext size depends on the level of hierarchy) Our RHIBE Constructions History-free updates approach Security against insider Constant-size ciphertext (in terms of the hierarchy level) 2

43 #RSAC Identity-Based Encryption and Revocation 3

44 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Issue sk Enc(mpk,, M) Sender Receiver 4

45 Identity-Based Encryption (IBE) #RSAC Publish mpk 1 time download KGC Enc(mpk,, M) Issue sk How to revoke Bob s secret key? Sender Receiver 5

46 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Sender 6 Receiver

47 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Enc(mpk, T, M) Sender Receiver 7

48 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity KGC Issue sk T if is not revoked on time T. Enc(mpk, T, M) Sender Receiver 8

49 Revocation Capability in IBE: Boneh-Franklin #RSAC Publish mpk T 1 is time also regarded as a download part of user s identity Sender KGC Issue sk if is not revoked on time T. Problem: The overhead on KGC is Enc(mpk, T, M) linearly increased in the number of users (O(N-R)) 9 T Receiver

50 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download KGC Issue sk Enc(mpk,, T, M) Sender Receiver 10

51 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Enc(mpk,, T, M) Sender Receiver 11

52 Revocation Capability in IBE: Boldyreva et al. #RSAC Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 12 Receiver

53 Revocation Capability in IBE: Boldyreva et al. Only log-size Overhead!! (NNL: Naor-Naor-Lotspiech, O(Rlog(N/R))) Publish mpk 1 time download Broadcast key update ku T KGC ku T Issue sk #RSAC Enc(mpk,, T, M) Only non-revoked users can generate a decryption key dk, T from ku T and sk Sender 13 Receiver

54 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC Each user is assigned to a node u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 We consider a binary tree kept by KGC 14

55 Broadcast Encryption (BE) Technique Complete Subtree (CS) Each user is issued secret keys on the path to the root node by KGC (sk ) #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 15

56 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 16

57 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 17

58 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 18

59 Broadcast Encryption (BE) Technique Complete Subtree (CS) ku T is computed for nodes which do not have intersection against paths (to the root node) of revoked users Contain node information which is determined by who will be revoked #RSAC u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 Revoked 19

60 Broadcast Encryption (BE) Technique Complete Subtree (CS) #RSAC From log N size public information ku T, only non-revoked users can extract useful information. dk T sk and ku T u 1 u 2 u 3 u 4 u 5 u 6 u 7 u 8 U 3 has secret keys on the path to the root node 20

61 Scalable Revocable IBE First construction A. Boldyreva, V. Goyal, and V. Kumar. Identity-based encryption with efficient revocation. In ACM CCS 2008 First adaptive secure scheme B. Libert and D. Vergnaud. Adaptive-ID secure revocable identity-based encryption. In CT-RSA Considering decryption key exposure resistance J. H. Seo and K. Emura. Revocable identity-based encryption revisited: Security model and construction. In PKC An adversary is allowed to obtain #RSAC SD-based construction K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132,

62 #RSAC Revocable Hierarchical IBE (RHIBE) 22

63 Revocable Hierarchical IBE (RHIBE) A low-level user can stay in the system only if her parent also stays in the current time period. subkey 1 First-level users have O(log N)-size KGC secret key (as in RIBE) skid 1 = subkey logn Second-level users have log N subkeys for each parent's subkey (in total (log N) 2 -size subkeys) skid 2 = subkey 1 *subkey 1 #RSAC subkey 1 *subkey logn One of subkeys will be used for computing kut. subkey logn *subley logn Trivial combination of RIBE and HIBE will result in an impractical scheme with an exponential number of secret keys 23

64 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) skid 2 = Asymmetric trade between secret key size and generating time for secret key A parent gives half-computed subkeys, and children generate suitable subkeys subkey 1 *subkey 1 subkey 1 *subkey logn subkey logn *subley logn (log N) 2 -size subkeys skid 2 = subkey 1 subkey logn subkey 1 Product of partial keys (log N) 2 -size subkeys subkey logn 2(log N)-size half-computed subkeys #RSAC 24

65 Revocable Hierarchical IBE (RHIBE) The first RHIBE scheme with polynomial size secret keys (Seo-Emura, CT-RSA 2013) Asymmetric trade between secret key size and generating time for History-preserving secret key key updates For the A parent calculation, gives a half-computed child needs to know subkeys, and children generate suitable which subkeys partial key of the ancestor was used in each time period. Product of subkey 1 *subkey subkey 1 1 partial keys skid Such 2 = information subkey 1 *subkey is also announced in the subkey logn logn skid 2 = (log N) subkey 2 -size key updates 1 subkeys subkey logn *subley logn subkey logn (log N) 2 -size subkeys 2(log N)-size half-computed subkeys #RSAC 25

66 Our Contribution History-Free Update Low-level users do not need to know what ancestors did during key updates. Security Against Insiders An adversary is allowed to obtain state information Short Ciphertexts Constant-size ciphertext in terms of the level of hierarchy Two constructions: Shorter secret keys and ciphertexts Complete Subtree (CS) Subset Difference (SD) KGC #RSAC 26

67 Main Idea for History-Free Update R(H)IBE: KGC (or a parent user) issues a long-term secret key sk ID using msk (or sk parent-id ). KGC (or a parent user) broadcasts key update information ku T which is computed by msk (or sk parent-id ). A (child) user can generate the decryption key dk ID,T from sk ID and ku T if he/she is not revoked at time T. Two situations are equivalent: A user ID is not revoked at time T The user can generate the decryption key dk ID,T Re-define the key update algorithm #RSAC 27

68 Main Idea for History-Free Update Previous syntax #RSAC Our modification No parent secret key is required (for history-free approach) State information takes a role of the delegation key dk is used instead of sk and ku 28

69 Main Idea for History-Free Update Previous syntax #RSAC Our modification The secret key is used only for generating the decryption key dk. No parent secret key is required (for history-free approach) State information takes a role of the delegation key Low-level users do not need to know what ancestors did during key updates. dk is used instead of sk and ku 29

70 Proposed RHIBE Scheme (CS) Based on the BBG HIBE scheme BBG HIBE (ID) + Boneh-Boyen IBE (Time) Give a reduction to the BBG HIBE scheme. [BBG05] Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. EUROCRYPT (Boneh-Boyen hash) If ID k is not revoked, then there exists the same θ (CS method) #RSAC BBG HIBE (ID) 30 BB IBE (Time) With re-randomization for decryption key exposure resistance

71 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC 31 revoked

72 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC Key Update info contains information about a point f v 3 (w ) 32 revoked

73 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) 33 revoked

74 Proposed RHIBE Scheme (SD) Linear functions are assigned to each level #RSAC The secret key sk u3 contains information about a point f v 3 (w) Key Update info contains information about a point f v 3 (w ) Using Lagrange interpolation, u3 can recover f v 3 (x) but u5 and u6 do not. 34 revoked

75 Proposed RHIBE Scheme (SD) #RSAC The main part is the same as that of the LLP RIBE scheme. K. Lee, D. H. Lee, and J. H. Park. Efficient revocable identity-based encryption via subset difference methods, eprint.iacr.org/2014/132, One difference is: we introduce the false master key for historyfree construction so that sk does not contain the master key α See the paper for details 35

76 Comparison #RSAC 36

77 Comparison #RSAC DBDH q-weak Bilinear Diffie-Hellman Inversion 37

78 Conclusion and Future work #RSAC RHIBE: History-free update, insider security, short ciphertext, and DKER The reduction to the underlying HIBE requires the challenge identity for the security proof. Adaptive-ID secure RHIBE under a static assumption with these desirable properties 38

### encryption Presented by NTU Singapore

A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before

### Identity-based Encryption with Efficient Revocation. Ziyang Liu May 12,2015

Identity-based Encryption with Efficient Revocation Ziyang Liu May 12,2015 Overview Identity-based encryption How IBE works Simple Solution of Revocation Revocable IBE Fuzzy IBE Binary tree data structure

### Categorical Heuristic for Attribute Based Encryption in the Cloud Server

Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

### Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment

Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,

### Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)

Identity-Based Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam) Public-key encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2 Identity-based encryption

### Functional Encryption. Lecture 27

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data,

### Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption

### Identity-based Encryption with Efficient Revocation

A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption

### RHIBE: Constructing Revocable Hierarchical ID-Based Encryption from HIBE

INFOMATICA, 2014, Vol. 25, No. 2, 299 326 299 2014 Vilnius University DOI: http://dx.doi.org/10.15388/informatica.2014.16 HIBE: Constructing evocable Hierarchical ID-Based Encryption from HIBE Tung-Tso

### Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,

### Lecture 17: Re-encryption

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

### Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

### Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

### Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

### Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

### Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation

Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation Nuttapong Attrapadung 1 and Benoît Libert 2 1 Research Center

### A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

### EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE

EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE Reshma Mary Abraham and P. Sriramya Computer Science Engineering, Saveetha University, Chennai, India E-Mail: reshmamaryabraham@gmail.com

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage

Expressive, Efficient, and Revocable Data Access Control for Multi-Authority Cloud Storage Abstract: Cloud computing is one of the emerge technologies. To protect the data and privacy of users the access

### Adaptive-ID Secure Revocable Identity-Based Encryption

Adaptive-ID Secure Revocable Identity-Based Encryption Benoît Libert 1 and Damien Vergnaud 2 1 Université Catholique de Louvain, Microelectronics Laboratory, Crypto Group Place du Levant, 3 1348 Louvain-la-Neuve

### CP-ABE Based Encryption for Secured Cloud Storage Access

International Journal of Scientific & Engineering Research, Volume 3, Issue 9, September-2012 1 CP-ABE Based Encryption for Secured Cloud Storage Access B. Raja Sekhar,B. Sunil Kumar, L. Swathi Reddy,

### CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION

CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION Chandrala DN 1, Kulkarni Varsha 2 1 Chandrala DN, M.tech IV sem,department of CS&E, SVCE, Bangalore 2 Kulkarni Varsha, Asst. Prof.

### Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

### Lecture 2 August 29, 13:40 15:40

Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous

### Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud

1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume

### Identity based cryptography

Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

### ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION

Bull. Korean Math. Soc. 46 (2009), No. 4, pp. 803 819 DOI 10.4134/BKMS.2009.46.4.803 ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION Sascha Müller, Stefan Katzenbeisser, and Claudia Eckert

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters Abstract As more sensitive data is shared and stored by third-party sites

### Anonymity and Time in Public-Key Encryption

Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

Attribute-Based Broadcast Encryption Scheme Made Efficient David Lubicz Thomas Sirvent D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 1 / 23 Outline

### COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK Ms. Priyanka Bubna 1, Prof. Parul Bhanarkar Jha 2 1 Wireless Communication & Computing, TGPCET/RTM

### Role Based Encryption with Efficient Access Control in Cloud Storage

Role Based Encryption with Efficient Access Control in Cloud Storage G. V. Bandewar 1, R. H. Borhade 2 1 Department of Information Technology, Sinhgad Technical Education Society s SKNCOE, Pune, India

### ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption

ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Yevgeniy Dodis Anna Lysyanskaya Abstract A forward-secure encryption scheme

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Data management using Virtualization in Cloud Computing

Data management using Virtualization in Cloud Computing A.S.R. Krishna Kanth M.Tech (CST), Department of Computer Science & Systems Engineering, Andhra University, India. M.Sitha Ram Research Scholar Department

### Achieving Fine-grained Access Control for Secure Data Sharing on Cloud Servers

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2000; 00:1 7 [Version: 2002/09/19 v2.02] Achieving Fine-grained Access Control for Secure Data Sharing on Cloud

### Wildcarded Identity-Based Encryption

Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Identity Based Encryption: An Overview

Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.

### 1 Pseudorandom Permutations

Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

### Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

### Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud

Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud I.sriram murthy 1 N.Jagajeevan 2 II M-Tech student Assistant.Professor Department of computer science & Engineering Department of

### Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

### ID-based Cryptography and Smart-Cards

ID-based Cryptography and Smart-Cards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only

### Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy

### Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment Based on RSA Signature Assumption

Bonfring International Journal of Research in Communication Engineering, Vol. 2, No. 3, September 2012 1 An Enhanced Security Enabled Sharing of Protected Cloud Storage Services by Trapdoor Commitment

### KEY-POLICY ATTRIBUTE BASED ENCRYPTION TO SECURE DATA STORED IN CLOUD

KEY-POLICY ATTRIBUTE BASED ENCRYPTION TO SECURE DATA STORED IN CLOUD C.Vinoth 1, G.R.Anantha Raman 2 1 Computer Science and Engineering,ACE Hosur(India) 2 Assistant Professor, Computer Science and Engineering,

### Data Sharing on Untrusted Storage with Attribute-Based Encryption

Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements

### Lightweight Encryption for Email

Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the

### Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam

Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

### Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh Safavi-Naini Willy Susilo Centre for Information Security Research School of Information

### A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

### Identity-Based Encryption

Identity-Based ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Public-key encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow

### An Efficiently Subcontracted the Identity-Based Encryption for Revocation in Cloud Computing

An Efficiently Subcontracted the Identity-Based Encryption for Revocation in Cloud Computing Soujanya M A 1, Lalitha L A 2 1 School of Computing and Information Technology, M. Tech, Reva University, Bangalore,

### Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption

Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption Abstract: Charan 1, K Dinesh Kumar 2, D Arun Kumar Reddy 3 1 P.G Scholar, 2 Assistant Professor, 3 Associate Professor 1,2,3

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of

### Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Matthew Green Johns Hopkins University Susan Hohenberger Johns Hopkins University Brent Waters University of Texas at Austin Abstract Attribute-based encryption

### Notes on Network Security Prof. Hemant K. Soni

Chapter 9 Public Key Cryptography and RSA Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender and receiver if this key is disclosed communications

### Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #10 Symmetric Key Ciphers (Refer

### An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud

An Efficient Security Based Multi Owner Data Sharing for Un-Trusted Groups Using Broadcast Encryption Techniques in Cloud T.Vijayalakshmi 1, Balika J Chelliah 2,S.Alagumani 3 and Dr.J.Jagadeesan 4 1 PG

### COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

### Key Refreshing in Identity-based Cryptography and its Application in MANETS

Key Refreshing in Identity-based Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20

### Privacy, Discovery, and Authentication for the Internet of Things

Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

### Attributed-based Access Control for Multi-Authority Systems in Cloud Storage

2012 32nd IEEE International Conference on Distributed Computing Systems Attributed-based Access Control for Multi-Authority Systems in Cloud Storage Kan Yang Department of Computer Science City University

### Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California,

Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Berkeley, CA 1 Summer School Objectives Exposure to current

### Decentralized Access Control Schemes for Data Storage on Cloud

Computer Science and Engineering 2016, 6(1): 1-6 DOI: 10.5923/j.computer.20160601.01 Decentralized Access Control Schemes for Data Storage on Cloud Shraddha V. Mokle *, Nuzhat F. Shaikh Department of Computer

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### RSA Cryptosystem. Yufei Tao. Department of Computer Science and Engineering Chinese University of Hong Kong. RSA Cryptosystem

Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong In this lecture, we will discuss the RSA cryptosystem, which is widely adopted as a way to encrypt a message, or

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Property-Based Broadcast Encryption for Multi-level Security Policies

Property-Based Broadcast Encryption for Multi-level Security Policies André Adelsbach, Ulrich Huber, and Ahmad-Reza Sadeghi Horst Görtz Institute for IT Security, Ruhr Universität Bochum, Germany Eighth

### C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things

C-CP-ABE: Cooperative Ciphertext Policy Attribute-Based Encryption for the Internet of Things Lyes Touati, Yacine Challal, Abdelmadjid Bouabdallah To cite this version: Lyes Touati, Yacine Challal, Abdelmadjid

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters

### Oblivious Transfer. Sven Laur University of Tartu

Oblivious Transfer Sven Laur swen@math.ut.ee University of Tartu Ideal implementation b x 0, x 1 b x 0, x 1 x b Ideal ( 2 1) -OT The protocol is always carried out between a client P 1 and a sender P 2.

### Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

### An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method

An Efficient and Light weight Secure Framework for Applications of Cloud Environment using Identity Encryption Method E.Sathiyamoorthy 1, S.S.Manivannan 2 1&2 School of Information Technology and Engineering

### Efficient Unlinkable Secret Handshakes for Anonymous Communications

보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique