Relations Among Notions of Security for Identity Based Encryption Schemes


 Nickolas Wiggins
 2 years ago
 Views:
Transcription
1 Relations Among Notions of Security for Identity Based Encryption Schemes Nuttapong Attrapadung 1, Yang Cui 1, David Galindo 2, Goichiro Hanaoka 3, Ichiro Hasuo 2, Hideki Imai 1,3, Kanta Matsuura 1, Peng Yang 1, and Rui Zhang 1 1 Institute of Industrial Science, University of Tokyo. 2 Institute for Computing and Information Sciences Radboud University Nijmegen. 3 Research Center for Information Security, National Institute of Advanced Industrial Science and Technology. Abstract. This paper shows that the standard security notion for identity based encryption schemes (IBE), that is INDIDCCA2, captures the essence of security for all IBE schemes. To achieve this intention, we first describe formal definitions of the notions of security for IBE, and then present the relations among OW, IND, SS and NM in IBE, along with rigorous proofs. With the aim of comprehensiveness, notions of security for IBE in the context of encryption of multiple messages and/or to multiple receivers are finally presented. All of these results are proposed with the consideration of the particular attack in IBE, namely the adaptive chosen identity attack. 1 Introduction Identity based encryption (IBE) is a public key encryption mechanism where an arbitrary string, such as the recipient s identity, can serve as a public key. This convenience yields the avoidance of the need to distribute public key certificates. On the other hand, in conventional public key encryption (PKE) schemes, it is unavoidable to access the online public key directory in order to obtain the public keys. IBE schemes are largely motivated by many applications such as to encrypt s with the recipient s address. Although the basic concept of IBE was proposed by Shamir [13] more than two decades ago, it is only very recent that the first fully functional scheme was proposed [6]. In 2001, Boneh and Franklin defined a security model and gave the first fully functional solution provably secure in the random oracle model. The notions of security proposed in their work are natural extensions to the standard ones for PKE, namely indistinguishabilitybased ones. Rui Zhang is supported by a JSPS Fellowship.
2 1.1 Motivation So far in the literature, INDIDCCA2, is widely considered to be the right security notion which captures the essence of security for IBE [4 6, 15]. However, such an issue has not been investigated rigorously, yet. This work aims to establish such an affirmative justification. Before discussing about how to define the right security notion for IBE, we first glance back to the case of PKE. Notions of Security for PKE. A convenient way to formalize notions of security for cryptographic schemes is considering combinations of the various security goals and possible attack models. Four essential security goals being considered in the case of PKE are onewayness (OW), indistinguishability (IND), semantic security (SS) [9, 11], and nonmalleability (NM) [7], i.e. G i {OW,IND,SS,NM}. The attack models are chosen plaintext attack (CPA) [11], nonadaptive chosen ciphertext attack (CCA1) [7] and adaptive chosen ciphertext attack (CCA2) [12], i.e. A j {CPA,CCA1,CCA2}. Their combinations give nine security notions for PKE, e.g. INDCCA2. SS is widely accepted as the natural goal of encryption scheme because it formalizes an adversary s inability to obtain any information about the plaintext from a given ciphertext. The equivalence between SSCPA and INDCPA has been given [11]; and the equivalences between SSCCA1,2 and INDCCA1,2 are given only recently [10, 14]. On the other hand, NM formalizes an adversary s inability, given a challenge ciphertext y, to output a different ciphertext y in such a way that the plaintexts x, x, underlying these two ciphertexts, are meaningfully related, e.g. x = x + 1. The implications from INDCCA2 to NM under any attack have been proved [3]. For these reasons, along with the convenience of proving security in sense of IND, in almost all concrete schemes, INDCCA2 is considered to be the right standard security notion for PKE. Towards Defining Notions of Security for IBE. Due to the particular mechanism, the adversaries are granted more power in IBE than in PKE. Essentially, the adversaries have access to the key extraction oracle, which answers the private key of any queried public key (identity). Including this particular adaptive chosen identity attack, 1 we formalize the security notions for IBE, e.g. INDIDCCA2, in such a way: G i IDA j, where G i {OW,IND,SS,NM}, ID denotes the particular attack mentioned above, and A j {CPA,CCA1,CCA2}. Boneh and Franklin are the first to define the security notion for IBE, by naturally extending INDCCA2 to INDIDCCA2. Let us rigorously investigate whether INDIDCCA2 could be considered as the right notion for IBE, besides the intuitive reason that it is analogous to INDCCA2. The natural approach to justify such an appropriateness for IBE is, analogously to the case of PKE, to (i) first define SS and NM based security 1 Actually in IBE there exists the other attack against identity, named selective chosen identity attack. In this paper we omit presenting the formal definitions of the security notions in this selectiveid secure sense, but it is easy to see that the implications and separations shown here also hold in the selectiveid case. 2
3 SSmIDCCA2 multiplechallenge CCA2 security SSmIDmCCA2 SSIDmCCA2 OWIDCCA2 SSIDCCA2 INDIDCCA2 NMIDCCA2 OWIDCCA1 SSIDCCA1 INDIDCCA1 NMIDCCA1 OWIDCPA SSIDCPA INDIDCPA NMIDCPA Fig. 1. Relations among the notions of security for IBE notions for IBE, (ii) and then establish the relations among the above security notions: to be more specific, the implications from INDIDCCA2 to all the other notions, i.e. INDIDCCA2 is the strongest notion of security for IBE At the first place the intuition tells us that task (i) seems to be simply achievable by considering the analogy to the case of shifting INDCCA to IND IDCCA as done in [6], and task (ii) could immediately follow from the relations among the notions as the case of PKE, since we shift all the notions with the same additional attack power (namely, the accessibility to key extraction oracle). However, we emphasize that it will not follow simply and immediately until rigorous definitions for task (i) and rigorous proofs for task (ii) are presented. We managed to accomplish both tasks in this paper. 1.2 Our Contributions Our contributions are threefold. First, we formally presented the definitions of the notions of security for IBE schemes. The overall definitions are built upon historical works [3, 6, 10]. Secondly, we rigorously proved the relations among these notions and achieved our conclusion that, INDIDCCA2 is the right notion of security for IBE. It turns out that our intuition about those relations were right: the implication G 1 IDA 1 ( )G 2 IDA 2 will hold in IBE if and only if G 1 A 1 ( )G 2 A 2 holds in PKE, respectively, where the corresponding security goals G i and attack models A j are mentioned above. The results of our second contribution are illustrated in Figure 1. An arrow is an implication, and there is path between A and B if and only if the security notion A implies the security notion B. A hatched arrow represents a separation which is proved in this paper. Dotted arrows refer to trivial implications. For each pair of notions we obtain an implication or a separation, which is either explicitly found in the diagram or deduced from it. In the last place, we study the robustness of INDIDCCA2 secure schemes in the context of encryption of multiple messages and/or to multiple receivers. 3
4 Concretely, inspired by [10], we propose several new attack models for the case of active adversaries: multipleidentity (midcca2) attacks 2 (the adversary can adaptively query for encryptions of the same plaintext under different identities); multipleplaintext (IDmCCA2) attacks (the adversary chooses one fixed identity, and can adaptively query encryption of different plaintexts under that identity) and multipleidentityplaintext attacks (midmcca) (the adversary can adaptively query encryption of different plaintexts under different identities ). It is shown that any INDIDCCA2 scheme also meets those stronger security levels. Our results could be considered as having the same flavor as some historical results, to name just one, the equivalence between INDCCA2 and SSCCA2 for PKE. There, although INDCPA and SSCPA were defined and proved equivalent in the year 1984 [11], the equivalence between INDCCA2 and SSCCA2 had not been proved rigorously until the year 2003 [14]. During this long period of time, people just simply believed that shifting the attack power from CPA to CCA2 will not affect the equivalence. This paper is merged from two parallel works [1, 8]. 1.3 Organization The rest of the paper is organized as follows: in Section 2 we review the formal definition of IBE schemes and several other basic terms. In Section 3 we define the formal definitions of notions of security for IBE schemes. In Section 4 we prove important relations among these notions, rigorously. In Section 5 we study the multichallenge cases. 2 Preliminary 2.1 Identity Based Encryption Formally, an identity based encryption scheme consists of four algorithms, i.e. IBE = (S, X, E, D), where S, the setup algorithm, takes a security parameter k and outputs system parameters param and masterkey mk. The system parameters include the message space M, and the ciphertext space C. X, the extract algorithm, takes triple inputs as param, mk, and an arbitrary id {0, 1}, and outputs a private key sk = E(param, mk, id). Here id is arbitrary. E, the encrypt algorithm, takes triple inputs as param, id {0, 1} and a plaintext x M. It outputs the corresponding ciphertext y C. D, the decrypt algorithm, takes triple inputs as param, y C, and the corresponding private key sk. It outputs x M. 2 This security definition has been previously considered in [2], but no proof of equivalence to INDIDCCA2 was given. Moreover, the attack we consider is stronger since it gives more power to the adversary. 4
5 The four algorithms must satisfy the standard consistency constraint, i.e. if and only if sk is the private key generated by the extract algorithm with the given id as the public key, then, x M : D(param, sk, y) = x, where y = E(param, id, x). 2.2 Conventions Notations. x D(param, sk, y ) denotes that the vector x is made up of the plaintexts corresponding to every ciphertext in the vector y. ˆM denotes a subset of message space M, where the elements of ˆM are distributed according to the distribution designated by some algorithm. Function h : ˆM {0, 1} denotes the apriori partial information about the plaintext and function f : ˆM {0, 1} denotes the aposteriori partial information. Negligible Function. We say a function ɛ : N R is negligible if for every constant c 0 there exits an integer k c such that ɛ(k) < k c for all k > k c. Rrelated Relation. We consider Rrelated relation of arity t where t will be polynomial in the security parameter k. Rather than writing R(x 1, x 2,..., x t ) we write R(x, x), denoting the first argument is special and the rest are bunched into a vector x where x = t 1, and for every xi x, R(x, x i ) holds. Experiments. Let A be a probabilistic algorithm, and let A(x 1,..., x n ; r) be the result of running A on inputs (x 1,..., x n ) and coins r. Let y A(x 1,..., x n ) denote the experiment of picking r at random and let y be A(x 1,..., x n ; r). If S is a finite set then let x S denote the operation of picking an element at random and uniformly from S. And sometimes we use x R S in order to stress this randomness. If α is neither an algorithm nor a set then let x α denote a simple assignment statement. We say that y can be output by A(x 1,..., x n ) if there is some r such that A(x 1,..., x n ; r) = y. 3 Definitions of Security Notions for IBE schemes Let A = (A 1, A 2 ) be an adversary, and we say A is polynomial time if both probabilistic algorithm A 1 and probabilistic algorithm A 2 are polynomial time. At the first stage, given the system parameters, the adversary computes and outputs a challenge template τ. A 1 can output some state information s which will be transferred to A 2. At the second stage the adversary is issued a challenge ciphertext y generated from τ by a probabilistic function, in a manner depending on the goal. We say the adversary A successfully breaks the scheme if she achieves her goal. We consider four security goals, OW, IND, SS and NM. And we consider three attack models, IDCPA,IDCCA1,IDCCA2, in order of increasing strength. The difference among the models is whether or not A 1 or A 2 is granted accesses to decryption oracles. 3 3 With regards to the adaptive chosen identity and selective chosen identity attacks, we only discuss in details the former case (fullid security), while the results can be 5
6 Table 1. Oracle Sets O 1 and O 2 in the Definitions of the Notions for IBE O 1 = {X O 1, EO 1, DO 1} IDCPA {X (param, mk, ), E(param, id, ), ε} IDCCA1 {X (param, mk, ), E(param, id, ), D(param, sk, )} IDCCA2 {X (param, mk, ), E(param, id, ), D(param, sk, )} O 2 = {X O 2, EO 2, DO 2} IDCPA {X (param, mk, ), E(param, id, ), ε} IDCCA1 {X (param, mk, ), E(param, id, ), ε} IDCCA2 {X (param, mk, ), E(param, id, ), D(param, sk, )} In Table 1, we describe the ability with which the adversary in different attack models accesses the Extraction Oracle X (param, mk, ), the Encryption Oracle E(param, id, ) and the Decryption Oracle D(param, sk, ). When we say O i = {X O i, EO i, DO i } = {X (param, mk, ), E(param, id, ),ε}, where i {1, 2}, we mean DO i is a function that returns an empty string ε on any input. Remark 1. To have meaningful definitions, we insist that the target public key id should not be previously queried on, i.e. it is completely meaningless if the adversary has already known the corresponding private key of id. 3.1 Onewayness As far as we know, only onewayness against fullidentity chosenplaintext attacks (referred to as OWIDCPA in the following definition) has been previously considered in the literature. Here we define onewayness through a twostage experiment. A 1 is run on the system parameters param as input. At the end of A 1 s execution she outputs (s, id), such that s is state information (possibly including param) which she wants to preserve, and id is the public key which she wants to attack. One plaintext x is randomly selected from the message space M beyond adversary s view. A challenge y is computed by encrypting x with the public key id. A 2 tries to computer what x was. Definition 1 (OWIDCPA, OWIDCCA1, OWIDCCA2). Let IBE = (S, X, E, D) be an identity based encryption scheme and let A = (A 1, A 2 ) be an adversary. For atk {idcpa,idcca1,idcca2} and k N let, where, for b, d {0, 1}, Adv owatk IBE,A(k) = Pr[Exp owatk IBE,A(k) = 1] (1) extended to the latter case (selectiveid security), since the strategies are similar. Roughly speaking, the target public key id should be decided by the adversary in advance, before the challenger runs the setup algorithm. The restriction is that the extraction query on id is prohibited. 6
7 Experiment Exp owatkb IBE,A (param, mk) S(k); (k) (s, id) A O1 1 (param); x M; y E(param, id, x ); x A O2 if x = x then d 1 else d 0; return d 2 (s, y, id); We say that IBE is secure in the sense of OWATK, if Adv owatk IBE,A (k) is negligible for any A. 3.2 Indistinguishability In this scenario A 1 is run on param, and outputs (x 0, x 1, s, id), such that x 0 and x 1 are plaintexts with the same length. One of x 0 and x 1 is randomly selected, say x b, beyond adversary s view. A challenge y is computed by encrypting x b with id. A 2 tries to distinguish whether y was the encryption of x 0 or x 1. Definition 2 (INDIDCPA, INDIDCCA1, INDIDCCA2). Let IBE = (S, X, E, D) be an identity based encryption scheme and let A = (A 1, A 2 ) be an adversary. For atk {idcpa,idcca1,idcca2} and k N let, Adv indatk IBE,A (k) = Pr[Exp indatk1 IBE,A (k) = 1] Pr[Exp indatk0 IBE,A (k) = 1] (2) where, for b, d {0, 1} and x 0 = x 1, Experiment Exp indatkb IBE,A (k) (param, mk) S(k); (x 0, x 1, s, id) A O1 1 (param); y E(param, id, x b ); d A O2 2 (x 0, x 1, s, y, id); return d We say that IBE is secure in the sense of INDATK, if Adv indatk IBE,A (k) is negligible for any A. 3.3 Semantic Security In this scenario, A 1 is given param, and outputs ( ˆM, h, f, s, id). Here the distribution of ˆM is designated by A 1, and ( ˆM, h, f) is the challenge template τ. A 2 receives an encryption y of a random message x drawn from ˆM. The adversary then outputs a value v. She hopes that v = f(x ). The adversary is successful if she can do this with a probability significantly more than any simulator does. The simulator tries to do as well as the adversary without knowing the challenge ciphertext y nor accessing any oracle. Definition 3 (SSIDCPA, SSIDCCA1, SSIDCCA2). Let IBE = (S, X, E, D) be an identity based encryption scheme, let A = (A 1, A 2 ) be an adversary, and let A = (A 1, A 2) be the simulator. For atk {idcpa,idcca1,idcca2} and k N let, Adv ssatk IBE,A,A where, for b {0, 1}, (k) = Pr[Expssatk (k) = 1] Pr[Expssatk (k) = 1] (3) IBE,A IBE,A 7
8 Experiment Exp ssatk (param, mk) S(k); IBE,A (k) Experiment Expssatk IBE,A (k) ( ˆM, h, f, s, id) A 1(k); ( ˆM, h, f, s, id) A O1 1 (param); x R ˆM; x R ˆM; y E(param, id, x ); v A 2(s, x, h(x ), id); v A O2 2 (s, y, h(x ), id); if v = f(x ) if v = f(x ) then d 1 else d 0; then d 1 else d 0; return d return d We say that IBE is secure in the sense of SSATK, if for any adversary A there exists a simulator such that Adv ssatk IBE,A(k) is negligible. We comment here that it is necessary to require in both cases τ is distributed identically, since both A and A generate target public key id by themselves, i.e. τ is output by A and A themselves. 3.4 Nonmalleability In this scenario, A 1 is given param, and outputs a triple ( ˆM, s, id). A 2 receives an encryption y of a random message x 1.The adversary then outputs a description of a relation R and a vector y of ciphertexts. We insist that y y. 4 The adversary hopes that R(x 1, x) holds. We say she is successful if, she can do this with a probability significantly more than that, with which R(x 0, x) holds. Here x 0 is also a plaintext chosen uniformly from ˆM, independently of x 1. Definition 4 (NMIDCPA, NMIDCCA1, NMIDCCA2). Let IBE = (S, X, E, D) be an identity based encryption scheme and let A = (A 1, A 2 ) be an adversary. For atk {idcpa,idcca1,idcca2} and k N let, Adv nmatk IBE,A(k) = Pr[Exp nmatk1 IBE,A (k) = 1] Pr[Exp nmatk0 IBE,A (k) = 1] (4) where, for b {0, 1} and x 0 = x 1, Experiment Exp nmatkb IBE,A (param, mk) S(k); (k) ( ˆM, s, id) A O1 1 (param); R x 0, x 1 ˆM; y E(param, id, x 1 ); (R, y) A O2 2 (s, y, id); x D(param, id, y); if y y x R(x b, x) then d 1 else d 0; return d We say that IBE is secure in the sense of NMATK, if Adv nmatk IBE,A(k) is negligible for any A. 4 The adversary is prohibited from performing copying the challenge ciphertext y. Otherwise, she could output the equality relation R, where R(a, b) holds if and only if a = b, and output y= {y }, and be successful, always. 8
9 4 Relations among the Notions of Security for IBE Schemes In this section, we show that security proved in the sense of INDIDCCA2 is validly sufficient for implying security in any other sense in IBE. We first extend the relation (equivalence) between INDATK and SSATK into IBE environment, and then extend the relation between INDATK and NMATK into IBE environment. At last we study the separation between INDATK and OWATK. We demonstrate the relations among the notions of security for IBE as follows, where ATK {IDCPA,IDCCA1,IDCCA2}, 4.1 Equivalence between IND and SS Theorem 1 (INDATK SSATK). A scheme IBE is secure in the sense of INDATK if and only if IBE is secure in the sense of SSATK. Lemma 2 (INDATK SSATK) If a scheme IBE is secure in the sense of INDATK then IBE is secure in the sense of SSATK. Proof. See Lemma 2 in [1] or Theorem 7 in [8]. Lemma 3 (SSATK INDATK) If a scheme IBE is secure in the sense of SSATK then IBE is secure in the sense of INDATK. Proof. See Lemma 3 in [1] or Theorem 8 in [8]. Proof of Theorem 1. From Lemma 2 and 3, Theorem 1 follows immediately. 4.2 Relations between IND and NM Theorem 4 (INDIDCCA2 NMIDCCA2). If a scheme IBE is secure in the sense of INDIDCCA2 then IBE is secure in the sense of NMIDCCA2. Proof. See Theorem 4 in [1] or Theorem 10 in [8]. Theorem 5 (NMATK INDATK). If a scheme IBE is secure in the sense of NMATK then IBE is secure in the sense of INDATK. Proof. See Theorem 5 in [1] or Theorem 9 in [8]. Theorem 6 (INDIDCPA NMIDCPA). If there is a scheme IBE secure in the sense of INDIDCPA then there also exists a scheme IBE which is secure in the sense of INDIDCPA, but not secure in the sense of NMIDCPA. Proof. See Theorem 11 in [8]. Theorem 7 (INDIDCCA1 NMIDCPA). If there is a scheme IBE secure in the sense of NMIDCPA then there also exists a scheme IBE which is secure in the sense of NMIDCPA, but not secure in the sense of INDIDCCA1. Proof. See Theorem 12 in [8]. 9
10 4.3 Separation between IND and OW Theorem 8 (INDATK OWATK). If there is a scheme IBE secure in the sense of OWATK then there also exists a scheme IBE which is secure in the sense of OWATK, but not secure in the sense of INDATK. Proof. See Theorem 6 in [8]. 5 Semantical Security of IBE Schemes under Multiplechallenge CCA2 We present three notions of SS under multiplechallenge CCA2, following the conventional publickey version [10]. Here an adversary is allowed to make polynomially many challenge templates. Moreover each template is answered with a challenge ciphertext immediately (not after making all the templates), and the next challenge template can be generated according to the preceding templates and their answers. After this stage of asking many challenge templates adaptively and in a related manner, the adversary tries to guess information about the unrevealed plaintexts used in answering challenge templates. We shall introduce three different types of multiplechallenge CCA2 attacks: midcca2, IDmCCA2, and midmcca2. In the definition of SSIDCCA2 an adversary consists of two algorithms A 1 and A 2, in such a way that A 1 outputs a challenge template, the challenger chooses a plaintext and presents its encryption, and then A 2 tries to guess information about the plaintext. In the multiplechallenge case this interaction is modelled by providing the adversary with a tester algorithm T r,param or T r as its oracle. Here T r,param is given to an actual adversary (which obtains a ciphertext in addition to information leak), while T r is given to its benign simulator (which only sees information leak). A challenge template 5 is then sent to one of these oracles as a query (called challenge query ). Algorithm T r,param (P, id, h) return ( E(param, id, P (r)), h(r) ) Algorithm T r(p, h) return h(r) Intuitively the parameter r of a tester is understood as the multiplechallenge version of the coin tosses that the challenger uses to select plaintexts. It is a sufficiently long sequence of coin tosses (r 1, r 2,..., r t ) which is unrevealed to the adversary. Given the ith challenge template (P i, id i, h i ) (or (P i, h i ) from a simulator), the challenger chooses a plaintext by P i (r 1, r 2,..., r i ) using the first 5 In the previous sections a challenge template includes a distribution ˆM from which a challenge plaintext is picked. However, in this section we prefer to work with a deterministic plaintext circuit P which, given an input from U poly(k) kept secret for the adversary, outputs a challenge plaintext. The reason for doing so is some technical ease in the proofs. Here and in the following U poly(k) denotes the uniform distribution on {0, 1} p(k) for some polynomial p. 10
11 i coin tosses in r. Note that now h leaks information on coin tosses r rather than plaintexts P i (r 1, r 2,..., r i ). 6 As discussed in [8, 10], the only restriction here is that, extraction queries on challenge identities cannot be made. Definition 5 (Semantic security under multiplechallenge CCA2). Let IBE = (S, X, E, D) be an identity based encryption scheme. IBE is secure in the sense of SSmIDmCCA2 if the following holds. For every oracle PPT A ( SSmIDmCCA2 adversary ) with the following restriction on oracle queries: in any execution of A X mk, D mk, T r,param (param), for each challenge query (c, b) T r,param (P, id, h) by A, A is prohibited to make (1) the extraction query X mk (id) regardless of before or after the challenge query, or, (2) the decryption query D mk (id, c) after the challenge query, there exists a PPT algorithm A ( benign simulator of A ) which is equally successful as A, in the following sense. 1. The difference between the advantage of the actual adversary A and that of the benign simulator A, namely [ ] Pr v = f(r) (param, mk) S(k); r U poly(k) ; (f, v) A X mk, D mk, T r,param (param) [ ] Pr v = f(r) r U poly(k) ; (f, v) A T r (1 k ) is negligible as a function over k. 2. The two ensemples over k Z + : f) (t, f) (t, t (param, mk) S(k); r U poly(k) ; (f, v) A X mk, D mk, T r,param and (param) t with trace r U poly(k) ; (f, v) A Tr (1 k ) with trace are computationally indistinguishable. Here the trace of an execution of the actual adversary A is the sequence of (P, h)part of the challenge queries (P, id, h) made by A. The trace of an execution of the simulator A is simply the sequence of challenge queries A makes. SSmIDCCA2 is defined analogously except that an adversary A is restricted to have the same plaintext circuit P and the same information leakage circuit h in all the challenge queries in the trace of an execution of A (the challenge identity id can vary). SSIDmCCA2 is analogous to SSmIDmCCA2 except that an adversary A must have the same challenge identity id in all the challenge queries in the trace of an execution of A (P and h can vary). 6 As is shown in Definition 5, the same goes to the information to guess: it is about the coin tosses r (i.e. f(r) to guess) rather than plaintexts (i.e. f(p (r)) to guess). 11
12 Remark 2. Note that our midcca2 attack is stronger than the attack consider in [2], since in the latter case the adversary has to commit at once to the identities on which it wants to be challenged, while in the present case the ith identity can be chosen depending on the challenges received so far. Theorem 9. The three security notions under multiplechallenge CCA2 in Definition 5 are all equivalent to the singlechallenge security SSIDCCA2. Proof. See Theorem 14 in [8]. References 1. N. Attrapadung, Y. Cui, G. Hanaoka, H. Imai, K. Matsuura, P. Yang, and R. Zhang. Relations among notions of security for identity based encryption schemes. Cryptology eprint Archive, Report 2005/258, J. Baek, R. SafaviNaini, and W. Susilo. Efficient multireceiver identitybased encryption and its application to broadcast encryption. In PKC 2005, volume 3386 of LNCS, pages , M. Bellare, A. Desai, D. Pointcheval, and P. Rogaway. Relations among notions of security for publickey encryption schemes. In CRYPTO 98, volume 1462 of LNCS, pages 26 45, D. Boneh and X. Boyen. Secure identity based encryption without random oracles. In CRYPTO 04, volume 3152 of LNCS, pages , D. Boneh, X. Boyen, and E. Goh. Hierarchical identity based encryption with constant size ciphertext. In EUROCRYPT 05, volume 3494 of LNCS, pages , D. Boneh and M. Franklin. Identitybased encryption from the Weil pairing. In CRYPTO 01, volume 2139 of LNCS, pages , D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography (extended abstract). In STOC 91, pages , D. Galindo and I. Hasuo. Security notions for identity based encryption. Cryptology eprint Archive, Report 2005/253, O. Goldreich. Foundations of cryptography, Volumn II (revised, posted version Nr. 4.2) oded/. 10. O. Goldreich, Y. Lustig, and M. Naor. On chosen ciphertext security of multiple encryptions. Cryptology eprint Archive, Report 2002/089, S. Goldwasser and S. Micali. Probabilistic encryption. Journal of Computer and System Sciences, 28: , C. Rackoff and D.R. Simon. Noninteractive zeroknowledge proof of knowledge and chosen ciphertext attack. In CRYPTO 91, volume 576 of LNCS, pages , A. Shamir. Identitybased cryptosystems and signature schemes. In CRYPTO 84, volume 196 of LNCS, pages 47 53, Y. Watanabe, J. Shikata, and H. Imai. Equivalence between semantic security and indistinguishability against chosen ciphertext attacks. In PKC 03, volume 2567 of LNCS, pages 71 84, B. Waters. Efficient identitybased encryption without random oracles. In EURO CRYPT 05, volume 3494 of LNCS, pages ,
Relations among Notions of Security for Identity Based Encryption Schemes
Vol. 47 No. 8 IPSJ Journal Aug. 006 Regular Paper Relations among Notions of Security for Identity Based Encryption Schemes Peng Yang, Goichiro Hanaoka, Yang Cui, Rui Zhang, Nuttapong Attrapadung, Kanta
More informationUniversally Composable IdentityBased Encryption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA JeanSébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jeansebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationCryptography. Identitybased Encryption. JeanSébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg
Identitybased Encryption Université du Luxembourg May 15, 2014 Summary IdentityBased Encryption (IBE) What is IdentityBased Encryption? Difference with conventional PK cryptography. Applications of
More informationCiphertextAuditable Identitybased Encryption
International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 CiphertextAuditable Identitybased Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and ChinChen Chang 4,5 (Corresponding
More information1 Pseudorandom Permutations
Theoretical Foundations of Cryptography Lecture 9 Georgia Tech, Spring 2010 PRPs, Symmetric Encryption 1 Pseudorandom Permutations Instructor: Chris Peikert Scribe: Pushkar Tripathi In the first part of
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationIdentity based cryptography
Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography
More informationCOM S 687 Introduction to Cryptography October 19, 2006
COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: NonMalleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 NonMalleability Until this point we have discussed
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationNonBlackBox Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
NonBlackBox Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationMultiInput Functional Encryption for Unbounded Arity Functions
MultiInput Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multiinput functional encryption (MIFE) was
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationAnonymity and Time in PublicKey Encryption
Anonymity and Time in PublicKey Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationChapter 4. Symmetric Encryption. 4.1 Symmetric encryption schemes
Chapter 4 Symmetric Encryption The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of
More informationEfficient Hierarchical Identity Based Encryption Scheme in the Standard Model
Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University
More informationIdentityBased Encryption from the Weil Pairing
IdentityBased Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 943059045 dabo@cs.stanford.edu 2 Computer Science Department,
More informationIEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009
Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of publickey cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationKey Refreshing in Identitybased Cryptography and its Application in MANETS
Key Refreshing in Identitybased Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More informationPostQuantum Cryptography #4
PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertextonly attack: This is the most basic type of attack
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationPublicKey Encryption (Asymmetric Encryption)
PublicKey Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (PrivateKey Crypto) Alice establish secure
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationEfficient MultiReceiver IdentityBased Encryption and Its Application to Broadcast Encryption
Efficient MultiReceiver IdentityBased Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh SafaviNaini Willy Susilo Centre for Information Security Research School of Information
More informationAsymmetric cryptography in the random oracle model. Gregory Neven IBM Zurich Research Laboratory
Asymmetric cryptography in the random oracle model Gregory Neven IBM Zurich Research Laboratory Overview Provable security: the concept Digital signatures and the Random Oracle Model Publickey encryption
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More informationMultiChannel Broadcast Encryption
MultiChannel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content
More informationSecurity Analysis of DRBG Using HMAC in NIST SP 80090
Security Analysis of DRBG Using MAC in NIST SP 80090 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@ufukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator
More informationencryption Presented by NTU Singapore
A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before
More informationPublic Key Encryption with Keyword Search Revisited
Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh SafiaviNaini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key
More informationCryptographic treatment of CryptDB s Adjustable Join
Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable
More informationProofs in Cryptography
Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly
More informationAnalysis of PrivacyPreserving Element Reduction of Multiset
Analysis of PrivacyPreserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaCRIM, Seoul
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationBreaking An IdentityBased Encryption Scheme based on DHIES
Breaking An IdentityBased Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project  INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University
More informationDefinitions for Predicate Encryption
Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationIdentityBased Encryption Secure Against ChosenCiphertext Selective Opening Attack
IdentityBased Encryption Secure Against ChosenCiphertext Selective Opening Attack Junzuo Lai, Robert H. Deng, Shengli Liu, Jian Weng, and Yunlei Zhao Shanghai Jiao Tong University, Shanghai 200030, China
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationIdentitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012
Identitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identitybased encryption Publickey encryption, where public key = name
More informationSecurity of Blind Digital Signatures
Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.
More informationAdaptivelySecure, NonInteractive PublicKey Encryption
AdaptivelySecure, NonInteractive PublicKey Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA ParisRocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUFCMA
More informationTrading OneWayness against ChosenCiphertext Security in FactoringBased Encryption
Trading OneWayness against ChosenCiphertext Security in FactoringBased Encryption Pascal Paillier 1 and Jorge L. Villar 2 1 Cryptography Group, Security Labs, Gemalto pascal.paillier@gemalto.com 2 Departament
More informationA Performance Analysis of IdentityBased Encryption Schemes
A Performance Analysis of IdentityBased Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu ILing
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationA Fast Semantically Secure Public Key Cryptosystem Based on Factoring
International Journal of Network Security, Vol.3, No., PP.144 150, Sept. 006 (http://ijns.nchu.edu.tw/) 144 A Fast Semantically Secure Public Key Cryptosystem Based on Factoring Sahdeo Padhye and Birendra
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationMultiRecipient Encryption Schemes: Efficient Constructions and their Security
This is the full version of the paper with same title that appeared in IEEE Transactions on Information Theory, Volume 53, Number 11, 2007. It extends the previously published versions Ku, BBS. MultiRecipient
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationIdentityBased Encryption from Lattices in the Standard Model
IdentityBased Encryption from Lattices in the Standard Model Shweta Agrawal and Xavier Boyen Preliminary version July 20, 2009 Abstract. We construct an IdentityBased Encryption (IBE) system without
More informationEfficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55568 (04) Efficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More information36 Toward Realizing PrivacyPreserving IPTraceback
36 Toward Realizing PrivacyPreserving IPTraceback The IPtraceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationNoninteractive and Reusable Nonmalleable Commitment Schemes
Noninteractive and Reusable Nonmalleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider nonmalleable (NM) and universally composable (UC) commitment schemes in the
More informationOn Constructing Certificateless Cryptosystems from Identity Based Encryption
On Constructing Certificateless Cryptosystems from Identity Based Encryption Benoît Libert and JeanJacques Quisquater UCL, Microelectronics Laboratory, Crypto Group Place du Levant, 3, B1348, LouvainLaNeuve,
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationON MULTIAUTHORITY CIPHERTEXTPOLICY ATTRIBUTEBASED ENCRYPTION
Bull. Korean Math. Soc. 46 (2009), No. 4, pp. 803 819 DOI 10.4134/BKMS.2009.46.4.803 ON MULTIAUTHORITY CIPHERTEXTPOLICY ATTRIBUTEBASED ENCRYPTION Sascha Müller, Stefan Katzenbeisser, and Claudia Eckert
More informationPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical
More informationFuzzy Identity Based Encryption Preliminary Version
Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A
More informationSample or Random Security A Security Model for SegmentBased Visual Cryptography
Sample or Random Security A Security Model for SegmentBased Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape
More informationOn The Impossibility of Basing Identity Based Encryption on Trapdoor Permutations
On The Impossibility of Basing Identity Based Encryption on Trapdoor Permutations Dan Boneh Periklis A. Papakonstantinou Charles Rackoff Yevgeniy Vahlis Brent Waters Abstract We ask whether an Identity
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationA Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem
A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationOnLine/OffLine Digital Signatures
J. Cryptology (996) 9: 35 67 996 International Association for Cryptologic Research OnLine/OffLine Digital Signatures Shimon Even Computer Science Department, Technion Israel Institute of Technology,
More informationASYMMETRIC (PUBLICKEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLICKEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A nontechnical account of the history of publickey cryptography and the colorful characters
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationEnforcing RoleBased Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationConcrete Security of the BlumBlumShub Pseudorandom Generator
Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. SpringerVerlag. Concrete Security of the BlumBlumShub Pseudorandom Generator
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution
More informationHierarchical Group Signatures
Hierarchical Group Signatures Mårten Trolin and Douglas Wikström March 22, 2005 Abstract We introduce the notion of hierarchical group signatures. This is a proper generalization of group signatures, which
More informationTrading Static for Adaptive Security in Universally Composable ZeroKnowledge
Trading Static for Adaptive Security in Universally Composable ZeroKnowledge Aggelos Kiayias and HongSheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More information