Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)
|
|
- Neal Gaines
- 7 years ago
- Views:
Transcription
1 Identity-Based Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)
2 Public-key encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2
3 Identity-based encryption (IBE) Shamir 1984: public key can be any string, e.g. identity encrypt to ID = bob@gmail.com Key distribution center (msk) Setup msk KeyDer mpk ID sk ID ID, M Enc C Dec M Sender (mpk) Receiver (sk ID ) 3
4 Applications of IBE Encrypt to ID = bob@ibm.com Temporary keys, key revocation: ID = bob@ibm.com, 2007 Encrypting to the future: ID = release-date Trusted clock publishes sk date on date User credentials: ID = bob@ibm.com, role=adminstrator Credential is a decryption key cryptographic policy enforcement 4
5 Security of IBE schemes Security notion: IND-ID-CPA mpk A b ID d ID ID*,M 0,M 1 C* KeyDer(msk, ) (mpk,msk) R Setup (ID*,M 0,M 1,state) R A KeyDer (mpk) b R {0,1} ; C* R Enc(mpk,ID*,M b ) b R A Dec (C*,state) A wins iff b = b and never queried KeyDer(ID*) Adv ind-id-cpa (A) = 2 Pr [b =b] 1 IBE = Pr[b =1 b=1] Pr[b =1 b=0] 5
6 Security of IBE schemes Security notion: IND-ID-CCA mpk A ID d ID ID,C M KeyDer(msk, ) Dec(d ID, ) (mpk,msk) R Setup (ID*,M 0,M 1,state) R A KeyDer (mpk) b R {0,1} ; C* R Enc(mpk,ID*,M b ) b R A Dec (C*,state) A wins iff b = b and never queried KeyDer(ID*) or Dec(ID*,C*) ID*,M 0,M 1 C* Adv ind-id-cca (A) = 2 Pr [b =b] 1 IBE = Pr[b =1 b=1] Pr[b =1 b=0] b 6
7 Pairings (aka bilinear maps) Groups G = (g) and G T of prime order p with map e : G G G T that is efficiently computable non-degenerate: x,y G such that e(x,y) 1 bilinear: x,y,z G : e(xy,z) = e(x,z) e(y,z) e(x,yz) = e(x,y) e(x,z) 7
8 Pairings (aka bilinear maps) Bilinearity allows to move exponents around: a e(g a,g b ) = e(g,g b ) e(g,g b ) = e(g,g b ) a = e(g,g) ab = e(g ab,g) = e(g,g ab ) = e(g b,g a ) solve decisional Diffie-Hellman (DDH) in G: e(g a,g b ) = e(g,c) C = g ab 8
9 Pairing assumptions Computational Diffie-Hellman (CDH) in G: Given g a,g b, compute g ab Bilinear Diffie-Hellman (BDH): Given g a,g b,g c, compute e(g,g) abc Bilinear decisional Diffie-Hellman (BDDH): Given g a,g b,g c, decide Z = e(g,g) abc or random q-strong Diffie-Hellman: Given g x,g x2,,g xq, compute (c, g 1/(x+c) ) 9
10 The Boneh-Franklin IBE scheme Step 1. ElGamal encryption in G KeyGen: x R Z p X g x sk x ; pk X Enc(pk,M): r R Z p C ( g r, X r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / (C 1 ) x But DDH is easy in G insecure! Attack: given (C 1,C 2 ), test whether e(c 1,X) = e(g,c 2 /M b ) 10
11 The Boneh-Franklin IBE scheme Step 2. ElGamal encryption in G T KeyGen: x,y R Z p X g x ; Y g y sk x ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,Y) x IND-CPA secure under BDDH assumption 11
12 The Boneh-Franklin IBE scheme Step 3. sk g xy KeyGen: x R Z p X g x ; Y g y ; d g xy sk d ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d) IND-CPA secure under BDDH assumption 12
13 The Boneh-Franklin IBE scheme Step 3. sk Y x KeyGen: x R Z p ; Y R G X g x ; d Y x sk d ; pk (X,Y) Enc(pk,M): r R Z p C ( g r, e(x,y) r M ) Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d) IND-CPA secure under BDDH assumption 13
14 The Boneh-Franklin IBE scheme Step 4. Y H(ID), split key generation Setup: x R Z p X g x msk x ; mpk X Enc(pk,M): r R Z p C ( g r, e(x,h(id)) r M ) KeyDer(msk,ID): d ID H(ID) x Dec(sk,C): (C 1,C 2 ) C M C 2 / e(c 1,d ID ) IND-CPA secure under BDDH assumption in the ROM 14
15 Security of Boneh-Franklin IBE Theorem: If BDDH is (t,ε) hard, then BF-IBE is (t,q H,q K,ε ) IND-ID-CPA secure in the random oracle model for ε = (q H + q D + 1) ε t = t (q H + q D ) t exp mpk g a,g b,g c,z A x H(x) ID d ID M 0,M 1 C* H( ) KeyDer( ) B A x H(x) ID d ID M 0,M 1 C* b Z = e(g,g) abc? 15
16 Searchable encryption (SE) [BDOP04] PKI pk KeyGen sk W Enc C Test t W Trapd W W =W? Sender (pk) Mail server Receiver (sk) high bandwidth low bandwidth 16
17 Searchable encryption from IBE [BDOP04, ABC+05] Generic construction of SE from IBE: SE.KeyGen = IBE.Setup meaning (SE.pk, SE.sk) = (IBE.mpk, IBE.msk) SE.Trapd = IBE.KeyDer meaning SE.t W = IBE.sk ID=W SE.Enc(W) = IBE.Enc(ID=W, M) for some fixed M SE.Test(t W,C) = ( IBE.Dec(t W,C) = M ) Security relies on anonymity of IBE meaning ciphertext does not reveal ID? 17
18 Hierarchical IBE (HIBE) [GS02] Root (msk) msk KeyDer ID 1 sk (ID1) ID 1 Receiver 1 (sk ID1 ) KeyDer ID 2 sk (ID1,ID2) ID 2 Receiver 2 (sk (ID1,ID2) ) Dec C M Sender (mpk) mpk, (ID 1,ID 2 ), M Enc 18
19 Application to encrypted addresses as hierarchical identities = (com, ibm, zurich, nev) (com, ibm) can derive keys (com, ibm, zurich) can derive keys 19
20 Attribute-based encryption (ABE) [GPSW06, BSW07] Key-policy ABE: ciphertext set of attributes A = {a 1,,a λ } decryption key F: AND/OR combination of clauses (a i A) decrypt iff F(A) = 1 e.g. encrypted audit logs, targeted broadcast Ciphertext-policy ABE: decryption key set of attributes A = {a 1,,a λ } ciphertext AND/OR combination of attributes 20
21 Inner product encryption [KSW07] decryption key vector x = (x 1,,x λ ) ciphertext vector y = (y 1,,y λ ) decrypt iff x y = x 1 y x λ y λ = 0 Some special cases: IBE: x = (ID, 1) ; y = (-1, ID ) Polynomial evaluation: sk P decrypts C w iff P(w)=0 key for P = a d x d + +a 0 x = (a d,,a 1,a 0 ) encrypt to w y = (w d,,w, 1) Threshold, AND, OR, CNF and DNF formulas 21
22 IBE implies Digital Signatures Forward secure encryption Searchable encryption IND-CCA secure PKE Transformations in standard model 22
23 Standard Model Instantiations? Commutative Blinding Exponent Inversion 23
24 Commutative e(c,d ) /,d ) blinding IBE [BB04] 2,d 1 ) / e(c 1,d 2 ) = e(h(id) r,g r,g s s ))// e(g r, r, α H(ID) s s )) = e(h(id) r,g Setup: r,g s s ))// [[ e(g,α) r e(g r r,h(id) s KeyDer(msk,ID): s )] )] α = 1/ 1/ e(g,α) R G rr s R Z p msk α d ID (g s, α H(ID) s ) mpk e(g,α), pk H for hash H Enc(pk,ID,M): r R Z p C (g r,h(id) r,e(g,α) r M) Dec(d ID,C): (d 1,d 2 ) d ID (C 1,C 2,C 3 ) C M C 3 e(c 2,d 1 )/ e(c 1,d 2 ) Boneh-Boyen IBE : H(ID) = u 0 u 1 ID [ pk H = (u 0,u 1 ) ] Waters IBE: : H(ID) = u 0 u i ID i [ pk H = (u 0,u 1,,u n ) ] 24
25 Proof idea of Waters IBE [W05] H = programmable hash function treat H as information theoretic object to assist proof [HK08] Lemma: Given g,g x, Waters hash H(ID) = u 0 u IDi i can be setup such that 1. H(ID) = g x a(id) g b(id) 2. for all ID* ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. How? Later. 25
26 Security of Waters IBE Theorem: If BDDH is (t,ε) hard, then Waters-IBE is (t,q K,ε ) IND-ID-CPA secure. mpk g x,g y,g r,z A ID d ID KeyDer( ) B A ID d ID ID*,M 0,M 1 ID*,M 0,M 1 C* C* b Z = e(g,g) xyr? 26
27 Proof idea Adversary B given g,g x,g y,g r, Z=e(g,g) xyr or random? Run A: Setup: 1. msk = α := g xy 2. mpk = e(g,α)=e(g x,g y ); Setup pk H such that H(ID) = g x a(id) g b(id) and for all ID* ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. KeyDer(msk,ID): hope: a(id) 0 1. d 1 = α H(ID) s = g xy (g x a(id) g b(id) ) s = g xy+x a(id) s g b(id) s Define s:=-y/a(id)+s to cancel out xy! 2. d 2 = g s can also be computed from g y Enc(ID*,M 0,M 1 ): hope a(id*) = 0 1. C * 1 = g r 2. C * 2 = H(ID) r = (g b(id*) ) r = C * 1 b(id*) 3. C * 3 = e(g,α) r M b = Z M b 27
28 Conclusion If for one i: a(id (i) ) = 0 or a(id*) 0, then B aborts Previous lemma: happens only with non-negl. probability In all other cases: B can use A to break BDDH (Actual proof slightly more involved!) g x,g y,g r,z Leaves to prove lemma B A ID d ID ID*,M 0,M 1 C* Z = e(g,g) xyr? 28
29 Random walks Bernoulli random walk of length t: X i R {-1,1} X = X 1 + X t Lemma: for all a sqrt(t): Pr[X = a] 1/sqrt(t) We need: special random walk with X i R {-1,0,1} essentially same behavior 29
30 Proof of Lemma Lemma: Given g,g x, Waters hash can be setup such that H(ID) = u 0 u i IDi = g x a(id) g b(id) and for all ID*, ID (1),., ID (q) : Pr[ a(id*) = 0 and for all i: a(id (i) ) 0 ] = non-negl. Define u i := (g x ) ai g bi where a i {-t,,t} obtained by a {-1,0,1} random walk of length t b i R Z p (random masks ) Then: H(ID) = u 0 u IDi i = g x a(id) g b(id), a(id) = a 0 + a 1 ID a n ID n є {-(n+1)t,,(n+1)t} is random walk of length (hw(id)+1)t for all ID: 1/sqrt(nt) Pr[a(ID) = 0] 1/sqrt(t) for all ID ID : Pr[a(ID) = 0 a(id ) = 0] 1/sqrt(t) union bound, t := O(q 2 ) Pr[ a(id*)=0 and for all i: a(id (i) ) 0] 1/q sqrt(n) 30
31 Standard model IBE schemes 1. Commutative blinding IBE IND-sID-CPA secure [BB04] IND-ID-CPA secure [Waters05] 2. Exponent-inversion IBE IND-sID-CPA secure [BB04] IND-ID-CPA secure [Gentry06,K07] Open problems Standard model IBE not based on pairings Bottleneck: such an IBE scheme implies digital signature 31
Identity-Based Encryption
Identity-Based ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Public-key encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1 Identity-based encryption (IBE) [S84] Goal: Allow
More informationLecture 2 August 29, 13:40 15:40
Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationWildcarded Identity-Based Encryption
Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole
More informationSearchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
An extended abstract of this paper appears in Victor Shoup, editor, Advances in Cryptology CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, pages 205 222, Santa Barbara, California, August
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationAnonymity and Time in Public-Key Encryption
Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationSearchable Encryption Revisited: Consistency Properties, Relation to Anonymous IBE, and Extensions
An extended abstract of this paper appears in Victor Shoup, editor, Advances in Cryptology CRYPTO 2005, Volume 3621 of Lecture Notes in Computer Science, pages 205 222, Santa Barbara, California, August
More informationOutsourcing the Decryption of ABE Ciphertexts
Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes
More informationLecture 17: Re-encryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationEnforcing Role-Based Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationLecture 25: Pairing-Based Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationEfficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationIdentity-based Encryption with Efficient Revocation
A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationCategorical Heuristic for Attribute Based Encryption in the Cloud Server
Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationRecongurable Cryptography: A exible approach to long-term security
Recongurable Cryptography: A exible approach to long-term security Julia Hesse and Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {julia.hesse, dennis.hofheinz, andy.rupp}@kit.edu
More informationLightweight Encryption for Email
Lightweight Encryption for Email Ben Adida MIT ben@mit.edu Susan Hohenberger MIT srhohen@mit.edu Ronald L. Rivest MIT rivest@mit.edu Abstract Email encryption techniques have been available for more than
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationAttribute-Based Broadcast Encryption Scheme Made Efficient
Attribute-Based Broadcast Encryption Scheme Made Efficient David Lubicz Thomas Sirvent D. Lubicz, T. Sirvent (Celar - Irmar) Efficient Attribute-Based Encryption AfricaCrypt 2008, June 13 th 1 / 23 Outline
More informationLightweight Encryption for Email
Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the
More informationOverview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationFunctional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation
Functional Encryption for Public-Attribute Inner Products: Achieving Constant-Size Ciphertexts with Adaptive Security or Support for Negation Nuttapong Attrapadung 1 and Benoît Libert 2 1 Research Center
More informationVerifiable Outsourced Computations Outsourcing Computations to Untrusted Servers
Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation
More informationTime-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment
Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationSecure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve
Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy
More informationMulti-Recipient Encryption Schemes: Efficient Constructions and their Security
This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. Multi-Recipient
More informationA Secure Data Deduplication Scheme for Cloud Storage. Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl
RZ 3852 (# ZUR1308-022) 09/05/2013 Computer Science 26 pages Research Report A Secure Data Deduplication Scheme for Cloud Storage Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl Czech
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More informationDefinitions for Predicate Encryption
Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationHow To Create A Cryptosystem With A Tree Access Structure
Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters Abstract As more sensitive data is shared and stored by third-party sites
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More information3-6 Toward Realizing Privacy-Preserving IP-Traceback
3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationMulti-Channel Broadcast Encryption
Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content
More informationCluster Computers - A Case Study in Identity Based Sign Cryptography
Cluster Comput 2013 16:845 859 DOI 10.1007/s10586-013-0258-7 Simultaneous authentication and secrecy in identity-based data upload to cloud Bo Qin Huaqun Wang Qianhong Wu Jianwei Liu Josep Domingo-Ferrer
More informationProvable-Security Analysis of Authenticated Encryption in Kerberos
Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765
More informationProvably Secure Timed-Release Public Key Encryption
Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release
More informationAn Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure
More informationIntroduction to Cryptography
Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if
More informationDIGITAL SIGNATURES 1/1
DIGITAL SIGNATURES 1/1 Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob 2/1 Signing electronically Bank Internet SIGFILE } {{ } 101 1 ALICE Pay Bob $100 scan
More informationDAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems
1 DAC-MACS: Effective Data Access Control for Multiauthority Cloud Storage Systems Kan Yang Student Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Bo Zhang Student Member IEEE and Ruitao
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationHow to Encrypt in the Mobile Cloud. Yuliang Zheng ( 鄭 玉 良 ) UNC Charlotte yzheng@uncc.edu
How to Encrypt in the Mobile Cloud Yuliang Zheng ( 鄭 玉 良 ) UNC Charlotte yzheng@uncc.edu Smartphones meet the cloud (Match made in the heaven) Smartphones Small storage Stolen/lost Models change yearly
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationOutsourcing the Decryption of ABE Ciphertexts
Outsourcing the Decryption of ABE Ciphertexts Matthew Green Johns Hopkins University Susan Hohenberger Johns Hopkins University Brent Waters University of Texas at Austin Abstract Attribute-based encryption
More informationPublic Key (asymmetric) Cryptography
Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationLecture 3: One-Way Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationImproved Anonymous Proxy Re-encryption with CCA Security
Improved Anonymous Proxy Re-encryption with CCA Security Qingi Zheng Department of Computer Science University of Texas at San Antonio, TX, USA qingizheng@gmail.com Wei Zhu Julymobile Tech Co., Ltd Anhui,
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationAttributed-based Access Control for Multi-Authority Systems in Cloud Storage
2012 32nd IEEE International Conference on Distributed Computing Systems Attributed-based Access Control for Multi-Authority Systems in Cloud Storage Kan Yang Department of Computer Science City University
More informationPublic Key Encryption with Keyword Search Revisited
Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationSeparations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters
Separations in Circular Security for Arbitrary Length Key Cycles Venkata Koppula! Kim Ramchen! Brent Waters Circular Security Circular Security Circular Security Choose pk, sk! Encrypt using pk! Circular
More informationSELS: A Secure E-mail List Service *
SELS: A Secure E-mail List Service * Himanshu Khurana NCSA Work done with Adam Slagell and Rafael Bonilla * To appear in the Security Track of the ACM Symposium of Applied Computing (SAC), March 2005.
More informationEnhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation
Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationSimple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model
Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model Kristiyan Haralambiev 1 Tibor Jager 2 Eike Kiltz 3 Victor Shoup 4 Abstract This paper proposes practical
More informationData Sharing on Untrusted Storage with Attribute-Based Encryption
Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationSecure Conjunctive Keyword Search Over Encrypted Data
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle 1 and Jessica Staddon 1 and Brent Waters 2 1 Palo Alto Research Center 3333 Coyote Hill Road Palo Alto, CA 94304, USA E-mail: {pgolle,staddon}@parc.com
More informationShared and Searchable Encrypted Data for Untrusted Servers
Shared and Searchable Encrypted Data for Untrusted Servers Changyu Dong 1, Giovanni Russello 2, Naranker Dulay 1 1 Department of Computing, 2 Security Area, Imperial College London, Create-Net, 180 Queen
More informationCryptography for the Cloud
Cryptography for the Cloud ENS - CNRS - INRIA Cyber-Sécurité - SPECIF CNAM, Paris, France - November 7th, 2014 The Cloud Introduction 2 Access from Anywhere Introduction 3 Available for Everything One
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationKeywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.
Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Identity Based
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationVoteID 2011 Internet Voting System with Cast as Intended Verification
VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could
More informationOn Cryptographic Techniques for Digital Rights Management
On Cryptographic Techniques for Digital Rights Management by Nelly Fazio A dissertation submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Department of Computer
More informationChapter 2 TSAS: Third-Party Storage Auditing Service
Chapter 2 TSAS: Third-Party Storage Auditing Service Abstract In cloud storage systems, data owners host their data on cloud servers and users (data consumers) can access the data from cloud servers Due
More informationControlled Functional Encryption
Controlled Functional Encryption Muhammad Naveed 1, Shashank Agrawal 1, Manoj Prabhakaran 1, Xiaofeng Wang 2, Erman Ayday 3, Jean-Pierre Hubaux 3 and Carl A. Gunter 1 1 University of Illinois at Urbana-Champaign
More informationAnalysis of Privacy-Preserving Element Reduction of Multiset
Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul
More informationPractical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing
Practical Yet Universally Composable Two-Server Password-Authenticated Secret Sharing Jan Camenisch (IBM Research Zurich) Anna Lysyanskaya (Brown University) Gregory Neven (IBM Research Zurich) Password
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More informationCAM: Cloud-Assisted Privacy Preserving Mobile Health Monitoring
1 CAM: Cloud-Assisted Privacy Preserving Mobile Health Monitoring Huang Lin, Jun Shao, Chi Zhang, Yuguang Fang, Fellow, IEEE Abstract Cloud-assisted mobile health (mhealth) monitoring, which applies the
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo, Thomas Plantard Centre for Computer and Information Security Research School of Computer Science and Software Engineering
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationAn Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings
Theoretical and Applied Informatics ISSN 896 5334 Vol.24 (202), no. 2 pp. 09 8 DOI: 0.2478/v079-02-0009-0 An Efficient and Provably-secure Digital signature Scheme based on Elliptic Curve Bilinear Pairings
More informationIdentity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationIdentity-Based Encryption from Lattices in the Standard Model
Identity-Based Encryption from Lattices in the Standard Model Shweta Agrawal and Xavier Boyen Preliminary version July 20, 2009 Abstract. We construct an Identity-Based Encryption (IBE) system without
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationSecure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud
1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of
More informationNEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA
THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica
More informationSecure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data
Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam
More information