# Fuzzy Identity-Based Encryption

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013

2 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

3 Motivation Classic public-key cryptography Public-key cryptography Some User A wants to communicate with B Requests public key for B to encrypt message Encrypted message User A Public key for B User B Request public key

4 Motivation Identity-Based Encryption Identity-Based Encryption (IBE) Messages encrypted for an Identity User only needs to know identity of recipient e.g. Encrypted message with identity of B User A User B

5 Motivation Fuzzy IBE Fuzzy Identity-Based Encryption View identity as a set of attributes Assign attributes to every user Encrypt message with attribute set One user can decrypt message attribute overlap between identity and message d Allows error tolerance

6 Motivation Application example Application example: Biometric eye scan Interpret features of the iris as attributes Identity of a user = iris of his eye User can authorize in system with his iris Advantages: Easy authorization process User always has public key available Error tolerance allows noise during eye scan

7 Fuzzy IBE Fuzzy Identity-Based Encryption

8 Fuzzy IBE Definition Definition Let U be a universe of attributes Identity ω U. Identity overlap d Decryption for identity ω possible iff ω ω d

9 Fuzzy IBE Definition The algorithms A fuzzy identity-based encryption scheme Π consists of four ppts: Π = (Setup, Key-Gen, Enc, Dec). Setup(U, d): Initializes a cryptographic system with attribute universe U and a threshold d publish public parameters Key-Gen(ω): Generate a private key k ω for identity ω U. Obviously, it should hold that ω d. Enc(m, ω ): Encrypt a message m with the identity ω using the public parameters.

10 Fuzzy IBE Definition The algorithms Dec(c, k ω ): Decrypt the ciphertext c with the private key k ω that has been generated for the identity ω. Correctness ω denotes the identity that has been used to encrypt c If ω ω d then Dec(Enc(m, ω ), k ω ) = m for all m

11 Fuzzy IBE Security Security (informal) Fuzzy IBE must be secure against Collusion Attacks Group of users with identities ω1,..., ω n Every user has private key k ωi Ciphertext c that has been encrypted with identity ω No user is able to decrypt c, i.e. ω i ω < d for all i = 1,... n Not possible to encrypt c by combining the keys k ω1,..., k ωn

12 Fuzzy IBE Security Fuzzy Selective-ID game Sel-ID col A,Π(λ) A a ppt, Π a fuzzy IBE encryption scheme. 1. A chooses an identity α. 2. Challenger initializes cryptographic system; gives public parameters to A. 3. A can query private keys for identities ω i with ω i α < d. 4. A outputs m 0, m 1. Challenger encrypts m b, b {0, 1} and gives ciphertext c to A. 5. The same as step A outputs guess b. A wins the game iff b = b.

13 Fuzzy IBE Security Security (formal) A Fuzzy IBE scheme Π is secure against collusion attacks if for every ppt adversary A there exists a negligible function µ such that Pr[Sel-ID col A,Π (λ) = 1] µ(λ). Adversary gets public parameters Security against collusion attacks implies cpa security

14

15 Idea Idea Encrypt plaintext with a secret and attributes In decryption, reconstruct the secret using a d-element subset of the attributes Use Shamir s secret sharing scheme

16 Idea Polynomials A polynomial q(x) of degree d 1 can be constructed with d points. y q(x) x Example shows polynomial of degree 3 and 6 points Every subset of 4 points is sufficient to reconstruct q

17 Ingredients Ingredients I Bilinear maps G 1, G 2 groups of prime order p, g generator of G 1 Bilinear map e : G 1 G 1 G 2 e(g a, g b ) = e(g, g) ab e(g, g) 1

18 Ingredients Ingredients II Lagrange Coefficient S Z finite set of numbers Lagrange coefficient i,s defined as: for i Z i,s (x) = j S,j i x j i j

19 Ingredients Ingredients II Lagrange Coefficient and polynomials Let q be a polynomial of degree d 1 and let S Z, S = d. q can also be written as: q(x) = q(i) i,s (x) i S In other words: We can directly calculate every point from q by using d other points

20 Construction Construction of the scheme Restriction: Let n be fixed size of an identity, For every identity ω it holds that ω n Universe of attributes: U = Z p, p prime number G 1 group of prime order p g generator of G 1 e : G 1 G 1 G 2 bilinear map

21 Construction The algorithms Setup(n, d): Run bilinear Diffie-Hellman parameter generator G to obtain p, G 1, G 2. Choose y G 1. Set g 1 = g y, g 2 G 1, N := {1,..., n + 1} Define function T : t 1,..., t n+1 G 1 T (x) = g x n 2 Publish g1, g 2, t 1,..., t n+1 y is master key n+1 i=1 t i,n (x) i

22 Construction The algorithms Key-Gen(ω): Choose polynomial q with degree d 1 uniformly at random with q(0) = y For i ω set: D i = g q(i) 2 T (i) r i, r i Z p di = g r i Private key k ω = {{D i } i ω, {d i } i ω }

23 Output C = (ω, c, g s, {T (i) s } i ω ) Fuzzy Identity-Based Encryption Construction The algorithms Enc(ω, m): Choose s Z p Ciphertext c = m e(g 1, g 2 ) s Dec(C, k ω ): Choose S ω ω, S = d m = c i S ( e(di, T (i) s ) ) i,s(0) e(d i, g s )

24 Construction Correctness Plug in definitions Use linearity of e ) i,s (0) m = c ( e(di, T (i) s ) i S e(d i, g s ) = m e(g y, g 2 ) s ( e(g r i, T (i) s ) i S e(g q(i) 2 T (i) r i, g s ) = m e(g, g 2 ) sy ( e(g, T (i)) r i s e(g 2, g) q(i)s e(t (i), g) r i s i S ) i,s (0) ) i,s (0)

25 Construction e(g, T (i)) r i s cancels out Use lagrange coefficient to reconstruct y m e(g, g 2 ) sy ( e(g, T (i)) r i s i S e(g 2, g) q(i)s e(t (i), g) r i s = m e(g, g 2 ) sy ( ) 1 i,s (0) i S e(g 2, g) q(i)s ( ) q(i) = m e(g, g 2 ) sy 1 i,s (0)s i S e(g 2, g) ( ) = m e(g, g 2 ) sy 1 ys = m e(g 2, g) ) i,s (0)

26 Security assumption Security Decisional bilinear Diffie-Hellman (BDH) assumption: Let a, b, c, z Z p. The decisional Diffie-Hellman assumption is that every ppt A can not distinguish the tuple (g a, g b, g c, e(g, g) z ) from the tuple (g a, g b, g c, e(g, g) abc ) with success probability µ(x) where µ is a negligible function.

27 Security assumption Security proof If there exists an adversary that can break the security scheme then there is an adversary that can decide the bilinear Diffie-Hellman problem. Formally: If a ppt A can win the Fuzzy Selective-ID game with probability ε(λ) then there is an adversary that can decide for the tuple (g a, g b, g c, e(g, g) z ) whether z = abc with probability ε(λ) 2.

28 Security assumption Security proof (Outline) Adversary A Sel-Id with Pr[Sel-ID col A Sel-Id,Π (λ) = 1] = ε(λ) ε(λ) not negligible Construct adversary A BDH for BDH assumption Receives tuple (g a, g b, g c, e(g, g) z ) A BDH will simulate encryption scheme for A Sel-Id Use elements of tuple for construction

29 Security assumption Security proof (Outline) Simulating an encryption scheme Set g 1 = g a, g 2 = g b Most difficult: Answer private key request correctly Core idea: On receive of messages m 1, m 2 : Encrypt m i, i {0, 1} with c = m i g z If z = abc: ciphertext distribution as in real scheme Else: c is random element of G2 If A Sel-Id wins the game: Guess that z = abc. Otherwise, guess that z is a random element.

30 Security assumption Security proof (Outline) Pr[A BDH wins z abc] = Pr[A Sel-Id does not win] = 1 2 because c is a uniformly distributed element. Pr[A BDH wins] = Pr[A BDH wins z = abc] Pr[z = abc] +Pr[A BDH wins z abc] Pr[z abc] ( ) 1 = 2 + ε(λ) = ε(λ) 2

31 Extensions Extensions I Arbitrary attributes Use a hash function H to has arbitrary attributes (e.g. strings) into Z p. Replace T with hash function Use a hash function instead of T. Advantages: Faster computation (one hash instead of n + 1 exponentitions) Use arbitrary number of attributes for encryption Security proof uses random oracle

32 Extensions Extensions II Decyption optimization Encrypt a ciphertext c = m e(g 1, g 2 ) s with c ( ) e d i,s (0) i, T (i) s i S m = ( ) e D i,s (0) i, g s i S Bilinear map operations reduce from 2k to k + 1 Exponentiations increase from k to 2k

33 Thank you for your attention Extensions Thank you for your attention

### Acknowledgements. Notations and abbreviations

Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity- Based Encryption schemes as an error-tolerant version of Identity-Based Encryption schemes, along with

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Fuzzy Identity Based Encryption Preliminary Version

Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A

### Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

### Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

### IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

### Lecture 25: Pairing-Based Cryptography

6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

### Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption

### Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

### COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Identity based cryptography

Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

### Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Multi-authority attribute-based encryption with honest-but-curious central authority

International Journal of Computer Mathematics Vol. 89, No. 3, February 2012, 268 283 Multi-authority attribute-based encryption with honest-but-curious central authority Vladimir Božović a, Daniel Socek

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Department Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald

Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,

### Lecture 17: Re-encryption

600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

### New Efficient Searchable Encryption Schemes from Bilinear Pairings

International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION

Bull. Korean Math. Soc. 46 (2009), No. 4, pp. 803 819 DOI 10.4134/BKMS.2009.46.4.803 ON MULTI-AUTHORITY CIPHERTEXT-POLICY ATTRIBUTE-BASED ENCRYPTION Sascha Müller, Stefan Katzenbeisser, and Claudia Eckert

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data

Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters Abstract As more sensitive data is shared and stored by third-party sites

### Keywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.

Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Identity Based

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

### A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

### Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

### Identity Based Encryption: An Overview

Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.

### Ciphertext-Auditable Identity-based Encryption

International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

### Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

### Identity-Based Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)

Identity-Based Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam) Public-key encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2 Identity-based encryption

### Universally Composable Identity-Based Encryption

All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

### Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Functional Encryption. Lecture 27

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data,

### ID-based Cryptography and Smart-Cards

ID-based Cryptography and Smart-Cards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Secure Conjunctive Keyword Search Over Encrypted Data

Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle 1 and Jessica Staddon 1 and Brent Waters 2 1 Palo Alto Research Center 3333 Coyote Hill Road Palo Alto, CA 94304, USA E-mail: {pgolle,staddon}@parc.com

### Network security and all ilabs

Network security and all ilabs Modern cryptography for communications security part 1 Benjamin Hof hof@in.tum.de Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität

### Public Key Encryption with Keyword Search Revisited

Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key

### Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

### Identity-based Encryption with Efficient Revocation

A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption

### Talk announcement please consider attending!

Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically

### Definitions for Predicate Encryption

Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on

### Privacy-Preserving Aggregation of Time-Series Data

Privacy-Preserving Aggregation of Time-Series Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com T-H. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn

### A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY USING A ONE WAY HASH FUNCTION

A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY Abstract USING A ONE WAY HASH FUNCTION Keyur Parmar & Devesh Jinwala Sardar Vallabhbhai National Institute of Technology, Surat Email : keyur.beit@gmail.com

### Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

### Introduction to Cryptography, Part II

Introduction to Cryptography, Part II Mariana Raykova 1 Alice and Bob Alice wants to communicate securely with Bob (Cryptographers frequently speak of Alice and Bob instead of A and B... What key should

### Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve

Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy

### Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### Lecture 13: Message Authentication Codes

Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts

Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

### CS 4803 Computer and Network Security

pk CA User ID U, pk U CS 4803 Computer and Network Security Verifies the ID, picks a random challenge R (e.g. a message to sign) R I want pk U Alexandra (Sasha) Boldyreva PKI, secret key sharing, implementation

### A Secure Data Deduplication Scheme for Cloud Storage. Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl

RZ 3852 (# ZUR1308-022) 09/05/2013 Computer Science 26 pages Research Report A Secure Data Deduplication Scheme for Cloud Storage Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl Czech

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Contents. Foundations of cryptography

Contents Foundations of cryptography Security goals and cryptographic techniques Models for evaluating security A sketch of probability theory and Shannon's theorem Birthday problems Entropy considerations

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh Safavi-Naini Willy Susilo Centre for Information Security Research School of Information

### Keyword Search over Shared Cloud Data without Secure Channel or Authority

Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department

### Data Sharing on Untrusted Storage with Attribute-Based Encryption

Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements

### Democratic Group Signatures on Example of Joint Ventures

Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization

### Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

### Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions

Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)

### Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI

### Message Authentication Codes 133

Message Authentication Codes 133 CLAIM 4.8 Pr[Mac-forge A,Π (n) = 1 NewBlock] is negligible. We construct a probabilistic polynomial-time adversary A who attacks the fixed-length MAC Π and succeeds in

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### MAC. SKE in Practice. Lecture 5

MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### 1 Signatures vs. MACs

CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

### Sample or Random Security A Security Model for Segment-Based Visual Cryptography

Sample or Random Security A Security Model for Segment-Based Visual Cryptography Sebastian Pape Dortmund Technical University March 5th, 2014 Financial Cryptography and Data Security 2014 Sebastian Pape

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Efficient Unlinkable Secret Handshakes for Anonymous Communications

보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

### Digital Signatures. What are Signature Schemes?

Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

### ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption

ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Yevgeniy Dodis Anna Lysyanskaya Abstract A forward-secure encryption scheme

### Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

### Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

### PARTICIPATORY sensing and data surveillance are gradually

1 A Comprehensive Comparison of Multiparty Secure Additions with Differential Privacy Slawomir Goryczka and Li Xiong Abstract This paper considers the problem of secure data aggregation (mainly summation)

### Shared and Searchable Encrypted Data for Untrusted Servers

Shared and Searchable Encrypted Data for Untrusted Servers Changyu Dong 1, Giovanni Russello 2, Naranker Dulay 1 1 Department of Computing, 2 Security Area, Imperial College London, Create-Net, 180 Queen