AttributeBased Cryptography. Lecture 21 And PairingBased Cryptography


 Jocelin Sutton
 2 years ago
 Views:
Transcription
1 AttributeBased Cryptography Lecture 21 And PairingBased Cryptography 1
2 IdentityBased Encryption 2
3 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair 2
4 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? 2
5 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it 2
6 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation 2
7 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation Then: Can it generate a valid (PK,SK) pair for any PK? 2
8 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation Then: Can it generate a valid (PK,SK) pair for any PK? IdentityBased Encryption: a keyserver (with a master secretkey) that can generate such pairs 2
9 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation Then: Can it generate a valid (PK,SK) pair for any PK? IdentityBased Encryption: a keyserver (with a master secretkey) that can generate such pairs Encryption will use the master publickey, and the receiver s identity (i.e., fancy publickey) 2
10 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation Then: Can it generate a valid (PK,SK) pair for any PK? IdentityBased Encryption: a keyserver (with a master secretkey) that can generate such pairs Encryption will use the master publickey, and the receiver s identity (i.e., fancy publickey) In PKE, sender has to retrieve PK for every party it wants to talk to (from a trusted public directory) 2
11 IdentityBased Encryption In PKE, KeyGen produces a random (PK,SK) pair Can I have a fancy publickey (e.g., my name)? But no one should be able to pick a PK and find an SK for it But suppose a trusted authority for key generation Then: Can it generate a valid (PK,SK) pair for any PK? IdentityBased Encryption: a keyserver (with a master secretkey) that can generate such pairs Encryption will use the master publickey, and the receiver s identity (i.e., fancy publickey) In PKE, sender has to retrieve PK for every party it wants to talk to (from a trusted public directory) In IBE, receiver has to obtain its SK from the authority 2
12 IdentityBased Encryption 3
13 IdentityBased Encryption Security requirement for IBE (will skip formal statement): 3
14 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) 3
15 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) 3
16 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) 3
17 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) Or, CCA security: also gets (guarded) access to decryption for honest parties IDs 3
18 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) Or, CCA security: also gets (guarded) access to decryption for honest parties IDs IBE (even CPAsecure) can easily give CCAsecure PKE! 3
19 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) Or, CCA security: also gets (guarded) access to decryption for honest parties IDs IBE (even CPAsecure) can easily give CCAsecure PKE! IBE: Can t malleate ciphertext for one ID into one for another 3
20 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) Or, CCA security: also gets (guarded) access to decryption for honest parties IDs IBE (even CPAsecure) can easily give CCAsecure PKE! IBE: Can t malleate ciphertext for one ID into one for another PKEnc MPK (m) = (verkey, C=IBEnc MPK (id=verkey; m), sign signkey (C) ) 3
21 IdentityBased Encryption Security requirement for IBE (will skip formal statement): Environment/adversary decides the ID of the honest parties (in the beginning or later on) Adversary can adaptively request SK for any number of IDs (which are not used for honest parties) Semantic security for encryption with the ID of honest parties (CPA: with no access to decryption) Or, CCA security: also gets (guarded) access to decryption for honest parties IDs IBE (even CPAsecure) can easily give CCAsecure PKE! IBE: Can t malleate ciphertext for one ID into one for another PKEnc MPK (m) = (verkey, C=IBEnc MPK (id=verkey; m), sign signkey (C) ) Digital Signature 3
22 IdentityBased Encryption 4
23 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) 4
24 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle 4
25 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security 4
26 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security Quadratic Residuosity based scheme by Cocks (2001) 4
27 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security Quadratic Residuosity based scheme by Cocks (2001) But long ciphertexts (Shorter, but slower scheme by BonehGentryHamburg (2007) ) 4
28 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security Quadratic Residuosity based scheme by Cocks (2001) But long ciphertexts (Shorter, but slower scheme by BonehGentryHamburg (2007) ) BonehFranklin IBE (2001): similar to SKO IDNIKD (but with a proof of security in the random oracle model) 4
29 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security Quadratic Residuosity based scheme by Cocks (2001) But long ciphertexts (Shorter, but slower scheme by BonehGentryHamburg (2007) ) BonehFranklin IBE (2001): similar to SKO IDNIKD (but with a proof of security in the random oracle model) Pairingbased, without RO: BonehBoyen (2004), Waters (2005),... 4
30 IdentityBased Encryption Notion of IBE suggested by Shamir in 1984 (but no construction) An identitybased noninteractive keydistribution scheme by SakaiOhgishiKasahara (2000) using bilinearpairings and a random oracle But no formal proof of security Quadratic Residuosity based scheme by Cocks (2001) But long ciphertexts (Shorter, but slower scheme by BonehGentryHamburg (2007) ) BonehFranklin IBE (2001): similar to SKO IDNIKD (but with a proof of security in the random oracle model) Pairingbased, without RO: BonehBoyen (2004), Waters (2005),... Without pairing: Using QR, Lattices,... 4
31 Bilinear Pairing 5
32 Bilinear Pairing A relatively new (and less understood) tool 5
33 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear 5
34 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Typically, prime order (cyclic) groups 5
35 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Typically, prime order (cyclic) groups e(g a,h b ) = e(g,h) ab 5
36 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Typically, prime order (cyclic) groups e(g a,h b ) = e(g,h) ab Multiplication (once) in the exponent! 5
37 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Typically, prime order (cyclic) groups e(g a,h b ) = e(g,h) ab Multiplication (once) in the exponent! e(g a g a,g b ) = e(g a,g b ) e(g a,g b ) ; e(g a,g bc ) = e(g ac,g b ) ;... 5
38 Bilinear Pairing A relatively new (and less understood) tool Two (or three) groups with an efficient pairing operation, e: G x G G T that is bilinear Typically, prime order (cyclic) groups e(g a,h b ) = e(g,h) ab Multiplication (once) in the exponent! e(g a g a,g b ) = e(g a,g b ) e(g a,g b ) ; e(g a,g bc ) = e(g ac,g b ) ;... Not degenerate: e(g,g,)! 1 5
39 Decisional Bilinear DiffieHellman Assumption 6
40 Decisional Bilinear DiffieHellman Assumption DDH is not hard in G, if there is a bilinear pairing 6
41 Decisional Bilinear DiffieHellman Assumption DDH is not hard in G, if there is a bilinear pairing Given (g a,g b,g z ) check if e(g a,g b ) = e(g z,g) 6
42 Decisional Bilinear DiffieHellman Assumption DDH is not hard in G, if there is a bilinear pairing Given (g a,g b,g z ) check if e(g a,g b ) = e(g z,g) Decisional Bilinear DH assumption: (g a,g b,g c,g abc ) is indistinguishable from (g a,g b,g c,g z ). (a,b,c,z random) 6
43 IBE from Pairing 7
44 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) 7
45 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y 7
46 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y Enc(m;s) = ( g s, "(ID) s, M.Y s ) 7
47 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y "(ID) = u Π u i i:id i =1 Enc(m;s) = ( g s, "(ID) s, M.Y s ) 7
48 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y "(ID) = u Π u i i:id i =1 Enc(m;s) = ( g s, "(ID) s, M.Y s ) SK for ID: ( h y."(id) t, g t ) = (d 1, d 2 ) 7
49 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y "(ID) = u Π u i i:id i =1 Enc(m;s) = ( g s, "(ID) s, M.Y s ) SK for ID: ( h y."(id) t, g t ) = (d 1, d 2 ) Dec ( a, b, c; d 1, d 2 ) = c/ [ e(b,d 2 ) / e(a,d 1 ) ] 7
50 IBE from Pairing MPK: g,h, Y=e(g,h) y, " = (u,u 1,...,u n ) MSK: h y "(ID) = u Π u i i:id i =1 Enc(m;s) = ( g s, "(ID) s, M.Y s ) SK for ID: ( h y."(id) t, g t ) = (d 1, d 2 ) Dec ( a, b, c; d 1, d 2 ) = c/ [ e(b,d 2 ) / e(a,d 1 ) ] CPA security based on DecisionalBDH 7
51 AttributeBased Encryption 8
52 AttributeBased Encryption Which users can decrypt a ciphertext will be decided by the attributes and policies associated with the message and the user 8
53 AttributeBased Encryption Which users can decrypt a ciphertext will be decided by the attributes and policies associated with the message and the user A central authority will create secret keys for the users (like in IBE) based on attributes/policies for each user 8
54 AttributeBased Encryption Which users can decrypt a ciphertext will be decided by the attributes and policies associated with the message and the user A central authority will create secret keys for the users (like in IBE) based on attributes/policies for each user Ciphertexts can be created (by anyone) by incorporating attributes/policies 8
55 CiphertextPolicy ABE 9
56 CiphertextPolicy ABE Users in the system have attributes; receives a key (or key bundle ) from an authority for its set of attributes 9
57 CiphertextPolicy ABE Users in the system have attributes; receives a key (or key bundle ) from an authority for its set of attributes Ciphertext contains a policy (a boolean predicate over the attribute space) 9
58 CiphertextPolicy ABE Users in the system have attributes; receives a key (or key bundle ) from an authority for its set of attributes Ciphertext contains a policy (a boolean predicate over the attribute space) If a user s attribute set satisfies the policy, can use its key bundle to decrypt the ciphertext 9
59 CiphertextPolicy ABE Users in the system have attributes; receives a key (or key bundle ) from an authority for its set of attributes Ciphertext contains a policy (a boolean predicate over the attribute space) If a user s attribute set satisfies the policy, can use its key bundle to decrypt the ciphertext Multiple users cannot pool their attributes together 9
60 CiphertextPolicy ABE Users in the system have attributes; receives a key (or key bundle ) from an authority for its set of attributes Ciphertext contains a policy (a boolean predicate over the attribute space) If a user s attribute set satisfies the policy, can use its key bundle to decrypt the ciphertext Multiple users cannot pool their attributes together Application: EndtoEnd privacy in AttributeBased Messaging 9
61 KeyPolicy ABE 10
62 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) 10
63 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) Policies will be assigned to users/keys by an authority (who creates the keys) 10
64 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) Policies will be assigned to users/keys by an authority (who creates the keys) A key can decrypt only those ciphertexts whose attributes satisfy the policy 10
65 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) Policies will be assigned to users/keys by an authority (who creates the keys) A key can decrypt only those ciphertexts whose attributes satisfy the policy E.g. Applications 10
66 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) Policies will be assigned to users/keys by an authority (who creates the keys) A key can decrypt only those ciphertexts whose attributes satisfy the policy E.g. Applications Fuzzy IBE: use a policy that allows receiver s ID to be slightly different from the one in the policy 10
67 KeyPolicy ABE Attributes will be assigned to a ciphertext (when creating the ciphertext) Policies will be assigned to users/keys by an authority (who creates the keys) A key can decrypt only those ciphertexts whose attributes satisfy the policy E.g. Applications Fuzzy IBE: use a policy that allows receiver s ID to be slightly different from the one in the policy Audit log inspection: grant auditor authority to read only messages with certain attributes 10
68 A KPABE Scheme 11
69 A KPABE Scheme A construction that supports linear policies 11
70 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) 11
71 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) Linear: Matrix L with each row labeled by an attribute, such that 11
72 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) Linear: Matrix L with each row labeled by an attribute, such that a set of attributes S satisfies the policy iff there is a vector v such that v.l=[ ] 11
73 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) Linear: Matrix L with each row labeled by an attribute, such that a set of attributes S satisfies the policy iff there is a vector v such that v.l=[ ] and, labels corresponding to nonzero entries of v are all contained in S 11
74 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) Linear: Matrix L with each row labeled by an attribute, such that a set of attributes S satisfies the policy iff there is a vector v such that v.l=[ ] and, labels corresponding to nonzero entries of v are all contained in S Linear algebra over some finite field (e.g. GF(p) ) 11
75 A KPABE Scheme A construction that supports linear policies Policy corresponds to a (monotonic) access structure (sets of attributes that when pooled satisfy the policy) Linear: Matrix L with each row labeled by an attribute, such that a set of attributes S satisfies the policy iff there is a vector v such that v.l=[ ] and, labels corresponding to nonzero entries of v are all contained in S Linear algebra over some finite field (e.g. GF(p) ) For efficiency need a small matrix 11
76 Example of a Linear Policy 12
77 Example of a Linear Policy Consider this policy, over 7 attributes 12
78 Example of a Linear Policy Consider this policy, over 7 attributes OR AND AND AND OR 12
79 Example of a Linear Policy Consider this policy, over 7 attributes OR L: AND AND AND OR 12
80 Example of a Linear Policy Consider this policy, over 7 attributes OR L: AND AND AND OR
81 Example of a Linear Policy Consider this policy, over 7 attributes OR L: AND AND AND OR Can allow threshold gates too 12
82 A KPABE Scheme 13
83 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) 13
84 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute 13
85 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute Enc(m,A;s) = ( A, { T a s } a A, M.Y s ) 13
86 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute Enc(m,A;s) = ( A, { T a s } a A, M.Y s ) SK for policy L (with d rows): Let u=(u 1... u d ) s.t. Σ i u i = y. For each row i, let x i = <L i,u>/t label(i). Let Key = { g xi } i=1 to d 13
87 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute Enc(m,A;s) = ( A, { T a s } a A, M.Y s ) SK for policy L (with d rows): Let u=(u 1... u d ) s.t. Σ i u i = y. For each row i, let x i = <L i,u>/t label(i). Let Key = { g xi } i=1 to d Dec ( (A,{U a } a A,c); {X i } row i ) : Get Y s = Π i:label(i) A e(u label(i),x i ) vi where v = [v 1... v d ] s.t. v i =0 if label(i) A, and vl=[1...1] 13
88 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute Enc(m,A;s) = ( A, { T a s } a A, M.Y s ) SK for policy L (with d rows): Let u=(u 1... u d ) s.t. Σ i u i = y. For each row i, let x i = <L i,u>/t label(i). Let Key = { g xi } i=1 to d Dec ( (A,{U a } a A,c); {X i } row i ) : Get Y s = Π i:label(i) A e(u label(i),x i ) vi where v = [v 1... v d ] s.t. v i =0 if label(i) A, and vl=[1...1] CPA security based on DecisionalBDH 13
89 A KPABE Scheme MPK: g, Y=e(g,g) y, T = (g t1,..., g tn ) (n attributes) MSK: t a for each attribute Enc(m,A;s) = ( A, { T a s } a A, M.Y s ) SK for policy L (with d rows): Let u=(u 1... u d ) s.t. Σ i u i = y. For each row i, let x i = <L i,u>/t label(i). Let Key = { g xi } i=1 to d Dec ( (A,{U a } a A,c); {X i } row i ) : Get Y s = Π i:label(i) A e(u label(i),x i ) vi where v = [v 1... v d ] s.t. v i =0 if label(i) A, and vl=[1...1] CPA security based on DecisionalBDH Choosing a random vector u for each key helps in preventing collusion 13
90 Predicate Encryption 14
91 Predicate Encryption Similar to ABE, but the ciphertext hides the attributes/ policy 14
92 Predicate Encryption Similar to ABE, but the ciphertext hides the attributes/ policy Decryption reveals only whether a condition is satisfied by the ciphertext, and if it is, reveals the message too 14
93 Predicate Encryption Similar to ABE, but the ciphertext hides the attributes/ policy Decryption reveals only whether a condition is satisfied by the ciphertext, and if it is, reveals the message too e.g.: ciphertext contains a vector c, and key a vector d. Predicate: whether <c,d> = 0 or not 14
94 Predicate Encryption Similar to ABE, but the ciphertext hides the attributes/ policy Decryption reveals only whether a condition is satisfied by the ciphertext, and if it is, reveals the message too e.g.: ciphertext contains a vector c, and key a vector d. Predicate: whether <c,d> = 0 or not A building block for other predicates 14
95 Predicate Encryption Similar to ABE, but the ciphertext hides the attributes/ policy Decryption reveals only whether a condition is satisfied by the ciphertext, and if it is, reveals the message too e.g.: ciphertext contains a vector c, and key a vector d. Predicate: whether <c,d> = 0 or not A building block for other predicates Constructions using stronger ( nonstandard ) assumptions 14
96 AttributeBased Signatures 15
97 AttributeBased Signatures Claimandendorse : Claim to have attributes satisfying a certain policy, and sign a message 15
98 AttributeBased Signatures Claimandendorse : Claim to have attributes satisfying a certain policy, and sign a message Soundness: can t forge, even by colluding 15
99 AttributeBased Signatures Claimandendorse : Claim to have attributes satisfying a certain policy, and sign a message Soundness: can t forge, even by colluding Hiding: Verification without learning how the policy was satisfied 15
100 AttributeBased Signatures Claimandendorse : Claim to have attributes satisfying a certain policy, and sign a message Soundness: can t forge, even by colluding Hiding: Verification without learning how the policy was satisfied Also unlinkable: cannot link multiple signatures as originating from the same signer 15
101 An ABS Construction 16
102 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) 16
103 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: 16
104 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: Given multiple credential bundles, can t create a credential bundle for a new set, unless it is a subset of attributes in a single given credential bundle 16
105 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: Given multiple credential bundles, can t create a credential bundle for a new set, unless it is a subset of attributes in a single given credential bundle Map each (claim,message) to a pseudoattribute 16
106 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: Given multiple credential bundles, can t create a credential bundle for a new set, unless it is a subset of attributes in a single given credential bundle Map each (claim,message) to a pseudoattribute Signing key: credential bundle for (real) attributes possessed 16
107 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: Given multiple credential bundles, can t create a credential bundle for a new set, unless it is a subset of attributes in a single given credential bundle Map each (claim,message) to a pseudoattribute Signing key: credential bundle for (real) attributes possessed Signature: a NIZK proof of knowledge of a credentialbundle for attributes satisfying the claim, or a credential for the pseudoattribute corresponding to (claim,message) 16
108 An ABS Construction Using Credential Bundles and NIZK proofs (in fact, NIWI proofs) Credential Bundle for a set of attributes: Given multiple credential bundles, can t create a credential bundle for a new set, unless it is a subset of attributes in a single given credential bundle Map each (claim,message) to a pseudoattribute Signing key: credential bundle for (real) attributes possessed Signature: a NIZK proof of knowledge of a credentialbundle for attributes satisfying the claim, or a credential for the pseudoattribute corresponding to (claim,message) Using conventional tools. More efficiently using bilinear pairings. 16
109 Today 17
110 Today IBE, ABE and ABS 17
111 Today IBE, ABE and ABS Pairingbased cryptography 17
112 Today IBE, ABE and ABS Pairingbased cryptography Next up: 17
113 Today IBE, ABE and ABS Pairingbased cryptography Next up: Some more applications of pairingbased cryptography 17
114 Today IBE, ABE and ABS Pairingbased cryptography Next up: Some more applications of pairingbased cryptography Generic groups 17
Functional Encryption. Lecture 27
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data,
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationIdentityBased Encryption. Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam)
IdentityBased Encryption Gregory Neven (IBM Zurich Research Laboratory) Eike Kiltz (CWI Amsterdam) Publickey encryption PKI pk KeyGen sk M Enc C Dec M Sender (pk) Receiver (sk) 2 Identitybased encryption
More informationIdentityBased Encryption: A 30Minute Tour. Palash Sarkar
IdentityBased Encryption: A 30Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,
More informationCategorical Heuristic for Attribute Based Encryption in the Cloud Server
Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,
More informationVerifiable Outsourced Computations Outsourcing Computations to Untrusted Servers
Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation
More informationCryptography. Identitybased Encryption. JeanSébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg
Identitybased Encryption Université du Luxembourg May 15, 2014 Summary IdentityBased Encryption (IBE) What is IdentityBased Encryption? Difference with conventional PK cryptography. Applications of
More informationOutsourcing the Decryption of ABE Ciphertexts
Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a datasharing environment E.g.,
More informationLecture 17: Reencryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Reencryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationIdentity Based Encryption: An Overview
Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More informationLightweight Encryption for Email
Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationBreaking An IdentityBased Encryption Scheme based on DHIES
Breaking An IdentityBased Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project  INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University
More informationPublicKey Cryptography. Oregon State University
PublicKey Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secretkey cryptography Exchange the key
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationLecture 2 August 29, 13:40 15:40
Lecture 2 August 29, 13:40 15:40 Publickey encryption with keyword search Anonymous identitybased encryption Identitybased encryption with wildcards Publickey encryption with keyword search & anonymous
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationAnonymity and Time in PublicKey Encryption
Anonymity and Time in PublicKey Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationOutsourcing the Decryption of ABE Ciphertexts
Outsourcing the Decryption of ABE Ciphertexts Matthew Green Johns Hopkins University Susan Hohenberger Johns Hopkins University Brent Waters University of Texas at Austin Abstract Attributebased encryption
More informationSecure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud
1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume
More informationIdentity Based Encryption
Bar Ilan Winter School. Feb. 2013 Bilinear Pairings in Cryptography: Identity Based Encryption Dan Boneh Stanford University (2 hours) Recall: PubKey Encryption (PKE) PKE Three algorithms : (G, E, D)
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationKeywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.
Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Identity Based
More informationIdentity Based Encryption: An Overview
IBE Overview p. 1/6 Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. 2/6 Structure of Presentation Conceptual overview and motivation. Some technical details.
More informationPublicKey Encryption (Asymmetric Encryption)
PublicKey Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (PrivateKey Crypto) Alice establish secure
More informationIDbased Cryptography and SmartCards
IDbased Cryptography and SmartCards Survol des techniques cryptographiques basées sur l identité et implémentation sur carte à puce The Need for Cryptography Encryption! Transform a message so that only
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationWildcarded IdentityBased Encryption
Wildcarded IdentityBased Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John MaloneLee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole
More informationIEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009
Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity
More informationAcknowledgements. Notations and abbreviations
Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity Based Encryption schemes as an errortolerant version of IdentityBased Encryption schemes, along with
More informationData Sharing on Untrusted Storage with AttributeBased Encryption
Data Sharing on Untrusted Storage with AttributeBased Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationAn Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of publickey cryptography is its dependence on a publickey infrastructure
More informationIdentitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012
Identitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identitybased encryption Publickey encryption, where public key = name
More informationSecure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve
Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy
More informationIdentityBased Encryption
IdentityBased ryption Gregory Neven IBM Zurich Research Laboratory gone WILD Publickey encryption PKI pk KeyGen sk M Dec M Sender (pk) Receiver (sk) 2 1 Identitybased encryption (IBE) [S84] Goal: Allow
More informationSecure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data
Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam
More informationPublic Key Cryptography. Basic Public Key Cryptography
Public Key Cryptography EJ Jung Basic Public Key Cryptography public key public key? private key Alice Bob Given: Everybody knows Bob s public key  How is this achieved in practice? Only Bob knows the
More informationAttributeBased Encryption for FineGrained Access Control of Encrypted Data
AttributeBased Encryption for FineGrained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters Abstract As more sensitive data is shared and stored by thirdparty sites
More informationSecurity Strength of RSA and Attribute Based Encryption for Data Security in Cloud Computing
Security Strength of RSA and Attribute Based Encryption for Data Security in Cloud Computing S.Hemalatha, Dr.R.Manickachezian Ph.D Research Scholar, Department of Computer Science, N.G.M College, Pollachi,
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David Wu Joint work with Ankur Taly, Asim Shankar, and Dan Boneh The Internet of Things (IoT) Lots of smart devices, but only useful if
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationEnsuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results
Ensuring Integrity in Cloud Computing via Homomorphic Digital Signatures: new tools and results Dario Catalano Dario Fiore Luca Nizzardo University of Catania Italy IMDEA Software Institute Madrid, Spain
More informationDuality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings
Duality in ABE: Converting Attribute Based Encryption for Dual Predicate and Dual Policy via Computational Encodings Nuttapong Attrapadung, Shota Yamada AIST, Japan @CTRSA 2015 Our Main Results in One
More informationIdentity based cryptography
Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationChapter 2 TSAS: ThirdParty Storage Auditing Service
Chapter 2 TSAS: ThirdParty Storage Auditing Service Abstract In cloud storage systems, data owners host their data on cloud servers and users (data consumers) can access the data from cloud servers Due
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationSecure Network Communication Part II II Public Key Cryptography. Public Key Cryptography
Kommunikationssysteme (KSy)  Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 20002001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko 1 and Brent Waters 2 1 University of Texas Austin alewko@cs.utexas.edu 2 University of Texas at Austin
More informationAsymmetric cryptography in the random oracle model. Gregory Neven IBM Zurich Research Laboratory
Asymmetric cryptography in the random oracle model Gregory Neven IBM Zurich Research Laboratory Overview Provable security: the concept Digital signatures and the Random Oracle Model Publickey encryption
More informationCOM S 687 Introduction to Cryptography October 19, 2006
COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: NonMalleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 NonMalleability Until this point we have discussed
More informationON MULTIAUTHORITY CIPHERTEXTPOLICY ATTRIBUTEBASED ENCRYPTION
Bull. Korean Math. Soc. 46 (2009), No. 4, pp. 803 819 DOI 10.4134/BKMS.2009.46.4.803 ON MULTIAUTHORITY CIPHERTEXTPOLICY ATTRIBUTEBASED ENCRYPTION Sascha Müller, Stefan Katzenbeisser, and Claudia Eckert
More informationFuzzy Identity Based Encryption Preliminary Version
Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationHierarchical IDBased Cryptography
Hierarchical IDBased Cryptography Craig Gentry 1 and Alice Silverberg 2 1 DoCoMo USA Labs San Jose, CA, USA cgentry@docomolabsusa.com 2 Department of Mathematics Ohio State University Columbus, OH, USA
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of
More informationVerifiable Functional Encryption
Verifiable Functional Encryption Saikrishna Badrinarayanan Vipul Goyal Aayush Jain Amit Sahai Abstract In light of security challenges that have emerged in a world with complex networks and cloud computing,
More informationIdentitybased Encryption with Efficient Revocation
A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identitybased Encryption
More informationKey Policy Attributebased Proxy Reencryption and RCCA Secure Scheme
Keying Li, Jianfeng Wang 2, Yinghui Zhang 3, and Hua Ma School of mathematics and statistics, Xidian University, P.R.China likeying88@63.com and ma hua@26.com 2 State Key Laboratory of Integrated Service
More informationLecture 13: Message Authentication Codes
Lecture 13: Message Authentication Codes Last modified 2015/02/02 In CCA security, the distinguisher can ask the library to decrypt arbitrary ciphertexts of its choosing. Now in addition to the ciphertexts
More informationAuthentication and Encryption: How to order them? Motivation
Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationAttributedbased Access Control for MultiAuthority Systems in Cloud Storage
2012 32nd IEEE International Conference on Distributed Computing Systems Attributedbased Access Control for MultiAuthority Systems in Cloud Storage Kan Yang Department of Computer Science City University
More informationBallot privacy in elections: new metrics and constructions.
Ballot privacy in elections: new metrics and constructions. Olivier Pereira Université catholique de Louvain Based on joint works with: D. Bernhard, V. Cortier, E. Cuvelier, T. Peters and B. Warinschi
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More information36 Toward Realizing PrivacyPreserving IPTraceback
36 Toward Realizing PrivacyPreserving IPTraceback The IPtraceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationExperiments in Encrypted and Searchable Network Audit Logs
Experiments in Encrypted and Searchable Network Audit Logs Bhanu Prakash Gopularam Cisco Systems India Pvt. Ltd Nitte Meenakshi Institute of Technology Email: bhanprak@cisco.com Sashank Dara Cisco Systems
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationVerifiable Delegation of Computation over Large Datasets
Verifiable Delegation of Computation over Large Datasets Siavosh Benabbas University of Toronto Rosario Gennaro IBM Research Yevgeniy Vahlis AT&T Cloud Computing Data D Code F Y F(D) Cloud could be malicious
More information1 PublicKey Encryption in Practice
CS 120/CSCI E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 16, 2006 Lecture Notes 15: PublicKey Encryption in Practice Recommended Reading. KatzLindell, Sections 9.4, 9.5.3 1 PublicKey
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationEnabling Public Auditing for Secured Data Storage in Cloud Computing
IOSR Journal of Engineering (IOSRJEN) eissn: 22503021, pissn: 22788719 Vol. 3, Issue 5 (May. 2013), V3 PP 0105 Enabling Public Auditing for Secured Data Storage in Cloud Computing 1 Er.Amandeep Kaur,
More informationSome Identity Based Strong BiDesignated Verifier Signature Schemes
Some Identity Based Strong BiDesignated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra282002 (UP), India. Email sunder_lal2@rediffmail.com,
More informationIntroduction. Chapter 1
Chapter 1 Introduction This is a chapter from version 1.1 of the book Mathematics of Public Key Cryptography by Steven Galbraith, available from http://www.isg.rhul.ac.uk/ sdg/cryptobook/ The copyright
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationAsymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin
Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetrickey crypto Intuition for El Gamal and RSA And intuition for attacks Digital
More informationBoosting LinearlyHomomorphic Encryption to Evaluate Degree2 Functions on Encrypted Data
Boosting LinearlyHomomorphic Encryption to Evaluate Degree2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it
More informationImproving Privacy and Security in MultiAuthority AttributeBased Encryption
Improving Privacy and Security in MultiAuthority AttributeBased Encryption ABSTRACT Melissa Chase Microsoft Research 1 Microsoft Way Redmond, WA 98052, USA melissac@microsoft.com Attribute based encryption
More informationImproved Proxy ReEncryption Schemes with Applications to Secure Distributed Storage
Improved Proxy ReEncryption Schemes with Applications to Secure Distributed Storage Giuseppe Ateniese Kevin Fu Matthew Green Susan Hohenberger Abstract In 1998, Blaze, Bleumer, and Strauss (BBS) proposed
More informationTechnische Universität München Winter term 2010 Theoretische Informatik Dr. M. Luttenberger / A. Gaiser SOLUTION. Cryptography Endterm
Technische Universität München Winter term 2010 Theoretische Informatik Dr. M. Luttenberger / A. Gaiser SOLUTION Cryptography Endterm Last name: First name: Student ID no.: Signature: Code {A,..., Z} 6
More informationTitle Goes Here An Introduction to Modern Cryptography. Mike Reiter
Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private
More informationMidterm Exam Solutions CS161 Computer Security, Spring 2008
Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext
More informationPUBLIC KEY ENCRYPTION
PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationDefinitions for Predicate Encryption
Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on
More informationPrivate Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps
Private Outsourcing of Polynomial Evaluation and Matrix Multiplication using Multilinear Maps Liang Feng Zhang, Reihaneh SafaviNaini Institute for Security, Privacy and Information Assurance Department
More informationCS Asymmetrickey Encryption. Prof. Clarkson Spring 2016
CS 5430 Asymmetrickey Encryption Prof. Clarkson Spring 2016 Review: block ciphers Encryption schemes: Enc(m; k): encrypt message m under key k Dec(c; k): decrypt ciphertext c with key k Gen(len): generate
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationA LITERATURE SURVEY ON DECENTRALIZED ACCESS CONTROL WITH ANONYMOUS AUTHENTICATION OF DATA STORED IN CLOUDS USING KDC
A LITERATURE SURVEY ON DECENTRALIZED ACCESS CONTROL WITH ANONYMOUS AUTHENTICATION OF DATA STORED IN CLOUDS USING KDC V.R.Mani Megalai, R.Mekala M.E.(Ph.D.) 1 PG Student, INFO Institute of Engineering,
More informationMAC. SKE in Practice. Lecture 5
MAC. SKE in Practice. Lecture 5 Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve
More information