Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack
|
|
- Madeleine Nash
- 7 years ago
- Views:
Transcription
1 Conditional Proxy Re-Encryption Secure against Chosen-Ciphertext Attack ABSTRACT In a proxy re-encryption (PRE) scheme [4] a proxy authorized by Alice transforms messages encrypted under Alice s public key into encryptions under Bob s public key without knowing the messages Proxy re-encryption can be used applications requiring delegation such as delegated processing However it is inadequate to handle scenarios where a fine-grained delegation is demanded For example Bob is only allowed Alice s encrypted s containing a specific keyword To overcome the limitation of existing PRE we introduce the notion of conditional proxy re-encryption (or C-PRE) whereby only ciphertext satisfying one condition set by Alice can be transformed by the proxy and then decrypted by Bob We formalize its security model and propose an efficient C-PRE scheme whose chosen-ciphertext security is proven under the 3-quotient bilinear Diffie-Hellman assumption We further extend the construction to allow multiple conditions with a slightly higher overhead INTRODUCTION The notion of proxy re-encryption (PRE) was initially introduced by Blaze Bleumer and Strauss introduced in [4] In a PRE system Bob is allowed to decipher public key encryptions for Alice with the assistance from an authorized proxy Specifically Alice authorizes the proxy by giving it a re-encryption key The proxy can then convert any ciphertext under Alice s public key into ciphertext under Bob s public key The requirement is that the semantic security of encryptions for Alice is preserved throughout the conversion such that the proxy gains no information about the involved plaintext messages Proxy re-encryption has found many practical applications such as encrypted forwarding secure distributed file systems and outsourced filtering of encrypted spam We use the encrypted forwarding as an example to illustrate the usage of PRE and to motivate our work as well Imagine that a department manager Alice is to take a vacation She delegates her secretary Bob to process her routine s Among the incoming s some could be encrypted under Alice s public key Traditional public key encryption schemes does not allow Bob to process such s following the security norm that one s private key should never be shared with other With a PRE system Alice can simply give the server a re-encryption key For an encrypted incoming the server (ie the proxy in PRE s jargon) transforms it into an encryption for Bob Then Bob can read this using his secret key When Alice is back she instructs the server to stop the transformation The existing notion of PRE does not facilitate flexible delegation Suppose that Alice instructs Bob to process s only when its subject contains the keyword urgent For other s Alice prefers to read them by herself after back to office Obviously the existing PRE schemes do not meet such needs To show further motivation we consider the case that Alice wants Bob to process only s with keyword market and prefers Charlie to process s only with keyword sales Using existing PRE mandates an escalated trust on the server since the server is trusted to enforce the access control policy specified by Alice We observe that such trust model is unrealistic in many applications In this paper we introduce the notion of conditional proxy re-encryption or C-PRE whereby Alice has a fine-grained control over the delegation As a result Alice can flexibly assign her delegate (Bob) the decryption capability based on the conditions attached to the messages using a proxy with no higher trust than in existing PRE schemes Our Results Our contribution includes a formal definition of conditional proxy re-encryption and its security notion Briefly speaking a C-PRE scheme involves three principals: a delegator (say user U i) a proxy and a delegatee (say user U j) similar to existing PRE systems A message sent to U i with condition w is encrypted by the sender using both U i s public key and w To authorize U j to decrypt such an encryption associated with w U i gives the proxy a partial re-encryption key rk ij and a condition key ck iw corresponding to the condition w These two keys form the secret trapdoor used by the proxy to perform ciphertext translation The proxy is unable to translate those ciphertext whose corresponding condition keys are not available Therefore U i has a flexible control on delegation by releasing condition keys properly We also construct a concrete C-PRE scheme using bilinear
2 pairings Under the 3-Quotient Bilinear Diffie-Hellman (3- QBDH) assumption we prove its chosen-ciphertext security in the random oracle model We further extend this basic scheme to a conditional proxy re-encryption with multiple conditions (MC-PRE) In the MC-PRE system a proxy with a partial re-encryption key can translate a ciphertext associated with multiple conditions if and only if he has all the required condition keys The proposed MC-PRE scheme is efficient since the number of bilinear pairings in use is independent of the number of the conditions 2 Related Work In the pioneer work due to Blaze Bleumer and Strauss [4] they presented the first bidirectional PRE scheme (refer to Remark for the definitions of bidirectional/unidirectional PRE) In 2005 Ateniese et al [ 2] presented a unidirectional PRE scheme based on bilinear pairings Both of these schemes are only secure against chosen-plaintext attack (CPA) However applications often require security against chosen-ciphertext attacks (CCA) To fill this gap Canetti and Hohenberger [] presented a construction of CCA-secure bidirectional PRE scheme from bilinear pairings Later Libert and Vergnaud [23] presented a CCAsecrue unidirectional PRE scheme from bilinear pairings Recently Deng et al [5] proposed a CCA-secure bidirectional PRE scheme without pairings All these constructions are standard PRE schemes and hence can not control the proxy at a fine-grained level In Pairing 08 Libert and Vergnaud [24] introduced the notion of traceable proxy re-encryption where malicious proxies leaking their re-encryption keys can be identified Proxy re-encryption has also been studied in identity-based scenarios Based on the ElGamal-type public key encryption system [6] and Boneh-Boyen s identity-based encryption system [3] Boneh Goh and Matsuo [7] described a hybrid proxy re-encryption system Based on Boneh and Franklin s identity-based encryption system [6] Green and Ateniese [8] presented CPA and CCA-secure identity-based proxy re-encryption (IB-PRE) schemes in the random oracle model Chu and Tzeng [3] presented the constructions of CPA and CCA-secure IB-PRE schemes without random oracles Another related work is the proxy encryption cryptosystem introduced by Mambo and Okamoto [26] In a proxy encryption scheme [4 2 26] A delegator allows a delegatee to decrypt ciphertext intended for her with the help of a proxy: an encryption for the delegator is first partially decrypted by the proxy and then fully decrypted by the delegatee However this scheme requires the delegatee to possess an additional secret for each delegation from Alice In contrast the delegatee in proxy re-encryption systems only needs his own private key as in a standard PKE Proxy re-encryption should not be confused with the universal re-encryption [9] in which ciphertext is only rerandomized instead of replacing the public keys 3 Organization The rest of the paper is organized as follows Section 2 gives an introduction to bilinear pairings and related complexity assumptions In Section 3 we formalize the definition and security notions for C-PRE systems In Section 4 we propose a C-PRE scheme and prove its chosen-ciphertext security under the 3-QBDH assumption In Section 5 we further extend our C-PRE scheme to obtain a conditional proxy re-encryption scheme with multiple conditions Finally Section 6 lists some open problems and concludes this paper 2 PRELIMINARIES 2 Notations Throughout this paper for a prime q let Z q denote {0 2 q } and Z q denote Z q\{0} For a finite set S x $ S means choosing an element x from S with a uniform distribution Finally a function f : N [0 ] is said to be negligible if for all c N there exists a k c N such that f(k) < k c for all k > k c 22 Bilinear Groups and Bilinear Pairings Let G and G T be two cyclic multiplicative groups with the same prime order q A bilinear pairing is a map e : G G G T with the following properties: Bilinearity: g g 2 G a b Z q we have e(g a g b 2) = e(g g 2) ab ; Non-degeneracy: There exist g g 2 G such that e(g g 2) GT ; Computability: There exists an efficient algorithm to compute e(g g 2) for g g 2 G 23 Complexity Assumptions The security of our proposed schemes is based on a complexity assumption called 3-Quotient Bilinear Diffie-Hellman (3- QBDH) assumption The decisional version of this assumption was recently used to construct a unidirectional proxy reencryption with chosen-ciphertext security [23] We briefly review the n-qbdh assumption a generalized version of 3-QBDH The n-qbdh problem in groups (G G T ) is given a tuple (g g /a g a g (an ) g b ) G n+2 with unknown a b $ Z q to compute e(g g) b a 2 A polynomial-time algorithm B has advantage ɛ in solving the n-qbdh problem in groups (G G T ) if Pr[B(g g a g a g (an ) g b ) = e(g g) b a 2 ] ɛ where the probability is taken over the random choices of a b in Z q the random choice of g in G and the random bits consumed by B Definition We say that the (t ɛ)-n-qbdh assumption holds in groups (G G T ) if no t-time adversary B has advantage at least ɛ in solving the n-qbdh problem in groups (G G T ) 3 MODEL OF CONDITIONAL PROXY RE- ENCRYPTION In this section we formalize the definition and security notions for C-PRE systems
3 3 Definition of C-PRE systems Formally a C-PRE scheme consists of the following seven algorithms: GlobalSetup(λ): The key generation algorithm takes as input a security parameter λ It generates the global parameters param 32 Security Notions In plain words the semantic security of a C-PRE encryption should be preserved against both the delegate and the proxy if they do not possess the proper condition key More formally the semantic security against chose-ciphertext attacks for a C-PRE scheme Π can be defined via the following game between an adversary A and a challenger C: KeyGen(i): The key generation algorithm generates the public/secret key pair (pk i sk i) for user U i RKeyGen(sk i pk j): The partial re-encryption key generation algorithm run by U i takes as input a secret key sk i and another public key pk j It outputs a partial re-encryption key rk ij CKeyGen(sk i w): The condition key generation algorithm run by user i takes as input a secret key sk i and a condition w It outputs a condition key ck iw Encrypt(pk m w): The encryption algorithm takes as input a public key pk a plaintext m M and a condition w It outputs ciphertext CT associated with w under pk Here M denotes the message space ReEncrypt(CT i rk ij ck iw): The re-encryption algorithm run by the proxy takes as input a ciphertext CT i associated with w under public key pk i a partial reencryption key rk ij and a condition key ck iw It outputs a re-encrypted ciphertext CT j under public key pk j Decrypt(CT sk): The decryption algorithm takes as input a secret key sk and a cipertext CT It outputs a message m M or the error symbol The correctness of C-PRE means that for any condition w any m M any (pk i sk i) KeyGen(i) (pk j sk j) KeyGen(j) and CT i = Encrypt(pk i m w) while for any other condition w and user j with w w and j j we have Remark Blaze Bleumer and Strauss [4] differentiated two types of proxy re-encryption systems: bidirectional PRE and unidirectional PRE In bidirectional PRE systems the re-encryption key allows the proxy to translate Alice s ciphertext to Bob s and vice versa In unidirectional PRE systems the re-encryption key can used only for one direction In general unidirectional PRE systems are preferable to bidirectional ones since (i) any unidirectional scheme can be easily transformed to a bidirectional one [] and (ii) in bidirectional PRE systems if the proxy and the delegatee collude they can recover the delegator s secret key The same argument applies to C-PRE systems Therefore in this paper we only consider unidirectional C-PRE Setup Challenger C runs algorithm GlobalSetup(λ) and gives the global parameters param to A Phase A adaptively issues queries q q m where query q i is one of the following: Uncorrupted key generation query i : C first runs algorithm KeyGen(i) to obtain a public/secret key pair (pk i sk i) and then sends pk i to A Corrupted key generation query j : C first runs algorithm KeyGen(j) to obtain a public/secret key pair (pk j sk j) and then gives (pk j sk j) to A Partial re-encryption key query pk i pk j : C runs algorithm RKeyGen(sk i pk j) to generate a partial re-encryption key rk ij and returns it to A Here sk i is the secret key with respect to pk i It is required that pk i and pk j were generated beforehand by algorithm KeyGen Condition key query pk i w : C runs algorithm CKeyGen(sk i w) to generate a condition key ck iw and returns it to A It is required that pk i was generated beforehand by algorithm KeyGen Re-encryption query pk i pk j (w CT i) : To reply this query challenger C runs algorithm ReEncrypt(CT i R and returns the resulting ciphertext CT j to A It is required that pk i and pk j were generated beforehand by algorithm KeyGen Decryption query pk (w CT) or pk j CT j : Here pk (w CT) and pk CT denote the queries on original ciphertexts and re-encrypted ciphertexts respectively Challenger C returns the result of Decrypt(CT sk) to A It is required that pk was generated beforehand by algorithm KeyGen PrˆDecrypt(CT i sk i) = m = and Challenge Once A decides that Phase is over it outputs PrˆDecrypt (ReEncrypt(CT i RKeyGen(sk i pk j) CKeyGen(sk i w)) sk j) = m = ; a target public key pk i a target condition w and two equal-length plaintexts m 0 m M C flips a random coin δ {0 } and sets the challenge ciphertext to be CT = Encrypt(pk i m δ w ) which is sent to A PrˆDecrypt `ReEncrypt(CT i RKeyGen(sk i pk j) CKeyGen(sk i w )) Phase sk j = 2 = neg(λ) PrˆDecrypt (ReEncrypt(CT i RKeyGen(sk i pk j ) CKeyGen(sk i w)) sk j) = A adaptively issues queries as in Phase and C answers = them neg(λ) as before Guess Finally A outputs a guess δ {0 } and wins the game if δ = δ During the above game adversary A is subject to the following restrictions: (i) A can not issue corrupted key generation queries on i to obtain the target secret key sk i (ii) A can issue decryption queries on neither pk i (w CT ) nor pk j ReEncrypt(CT rk i j ck i w ) (iii) A can not issue re-encryption queries on pk i pk j (w CT ) if pk j appears in a previous corrupted key generation query
4 (iv) A can not obtain both the condition key ck i w and the partial re-encryption key rk i j if pk j appears in a previous corrupted key generation query Remark 3 The above four restrictions rule out cases where A can trivially win the game To illustrate this we use the restriction (iv) as an example Suppose A obtains both the condition key ck i w and the partial re-encryption key rk i j with j is a corrupted user then she can run algorithm ReEncrypt(CT i rk i j ck i w ) to obtain a re-encrypted ciphertext CT j under public key pk j Using the secret key sk j A can decrypt the ciphertext to recover m δ and hence break the challenge We refer to the above adversary A as an IND-CPRE-CCA adversary His advantage in attacking scheme Π is defined as Adv IND-CPRE-CCA ΠA = Pr[δ = δ] /2 For the sake of an easy understanding of the security proofs for our proposed C-PRE scheme we differentiate two subcases of restriction (iv) described in the above IND-CPRE- CCA game and distinguish between two types of IND-CPRE- CCA adversaries: Type I IND-CPRE-CCA adversary: During the IND- CPRE-CCA game adversary A does not obtain the partial re-encryption key rk i j with pk j is corrupted Type II IND-CPRE-CCA adversary: During the IND- CPRE-CCA game adversary A does not obtain the condition key ck i w Note that these cases are mutually exclusive (by definition) and complete Therefore the IND-CPRE-CCA security of a C-PRE scheme can be proven by showing that neither Type I nor Type II IND-CPRE-CCA adversary can win with a non-negligible advantage GlobalSetup(λ): The setup algorithm takes as input a security parameter λ It first generates (q G G T e) where q is a λ-bit prime G and G T are two cyclic groups with prime order q and e is the bilinear pairing e : G G G T Next it chooses g g f f $ G and five hash functions H H 2 H 3 H 4 and H 5 such that H : {0 } Z q H 2 : G T {0 } l 0+l H 3 : {0 } G H 4 : G T {0 } l 0+l and H 5 : {0 } Z q Here l 0 and l are determined by the security parameter and the message space is {0 } l 0 The global parameters are param = ((q G G T e) g g f f H H 5) KeyGen(i): To generate the public/secret key pair for user U i it picks x $ i Z q and sets the public key and secret key to be pk i = (P i Q i) = (g x i g /x i ) and sk i = x i respectively where the probability is taken over the random coins consumed by the challenger and the adversary RKeyGen(sk i pk j): On input a secret key sk i = x i and a public key pk j = (P j Q j) = (g x j g /x j ) it outputs the partial re-encryption key rk ij = P /x i j = g x j /x i Definition 2 A C-PRE scheme Π is (t q u q c q rk q ck q re q d ɛ) CKeyGen(sk i w): On input a secret key sk i = x i and a IND-CPRE-CCA secure if and only if for any t-time IND- condition w {0 } it outputs the condition key CPRE-CCA adversary A that makes at most q u uncorrupted ck iw = H 3(w pk i) /x i key generation queries at most q c corrupted key generation queries at most q rk partial re-encryption key queries Encrypt(pk i m w): On input a public key pk i = (P i Q i) a at most q ck condition key queries at most q re re-encryption condition w and a message m {0 } l 0 it works as queries and at most q d decryption queries Adv IND-CPRE-CCA ΠA following: ɛ Pick r $ {0 } l and compute r = H (m r w) 2 Compute and output the ciphertext CT = (A B C D) as: A = g r B = P r i C = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3( () ReEncrypt(CT i rk ij ck iw): On input the ciphertext CT i associated with condition w under public key pk i a condition key ck iw and a partial re-encryption key rk ij this algorithm generates the re-encrypted ciphertext under key pk j as follows: Parse pk i as (P i Q i) and CT i as (A B C D) 2 Check whether both of the following equalities hold: e(a P i) = e(g B) e(a f H5(ABC) f ) = e(g D) (2) If not output ; otherwise output the re-encrypted ciphertext CT j = (B C ) as B = e(b rk ij) C = C H 4(e(A ck iw)) (3) 4 A SECURE C-PRE SCHEME In this section we first present our C-PRE scheme and then briefly explain the intuition behind the construction Finally based on the 3-QBDH assumption we prove the security for the proposed scheme 4 Construction The proposed C-PRE scheme consists of the following seven algorithms: Indeed the re-encrypted ciphertext CT j = (B C ) is of the following forms: B = e(g g sk j ) r C = H 2(e(g g) r ) (m r ) (4) where r = H (m r w) Decrypt(CT i sk i): On input a secret key sk i = x i and a ciphertext CT i under public key pk i = (P i Q i) this algorithm works according to two cases:
5 CT is an original ciphertext associated with a condition w ie CT = (A B C D): If Eq (2) does not hold output ; otherwise compute (m r ) = C H 4(e(A H 3(w pk i) /x i )) H 2(e(B g) /x i ) and return m if g x i H (mr w) = B holds and otherwise CT is a re-encrypted ciphertext ie CT = (B C ): Compute (m r ) = C H 2(B x i ) and return m if e(g g) x i H (mr w) = B holds and otherwise Correctness: It can be verified that all the correctly generated original/re-encrypted ciphertexts can be correctly decrypted We here explain why a re-encrypted ciphertext generated by a proxy who does not have both the right partial re-encryption key and the right condition key can not be decrypted by the delegatee with non-neglibible probability For example given an original ciphertext CT i = (A B C D) associated with condition w under public key pk i = (P i Q i) as in Eq () Suppose a proxy who has a partial re-encryption key rk ij = g x j /x i and a condition key ck iw = H 3(w pk i) /x i with w w runs ReEncrypt to translate ciphertext CT i into a ciphertext intended for U j Obviously CT i can pass the validity check of Eq (2) and hence he generates the re-encrypted ciphertext CT j = (B C ) as B = e(b rk ij) = e(p r i g x j /x i ) = e(g x ir g x j /x i ) = e(g g) x j r C = C H 4(e(A ck iw )) = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4(e(A ck iw )) Hash Oracle = H 2 (e(g g) r ) (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4 `e(qi H 3(w pk r Queries At any time adversary A can issue the random i)) oracle queries H i with i { 5} Algorithm Since w w the term H 4 (e(q i H 3(w pk i)) r ) in component C can not be canceled by H 4 (e(q i H 3(w pk i)) r ) are initially empty and responds as below: B maintains five hash lists Hi list with i { 5} which with overwhelming probability So when user j with secret key sk j = x j receives the above re-encrypted ciphertext H queries: On receipt of an H query (m r w) CT j he computes C H 2(B /x j ) and obtains (m r ) H 4 (e(q i H 3(w pk i)) r ) H 4 (e(q i H 3(w pk i)) r ) instead of if this query already appears on the H list in a tuple (m r w r) return the predefined value r Otherwise (m r ) Obviously this resulting value can not pass the validity check as shown in algorithm Decrypt Therefore re- and respond with H (m w r ) = r choose r $ Z q add the tuple (m r w r) to the H list encrypted ciphertext CT j can not be decrypted by U j with overwhelming probability H 2 queries: On receipt of an H 2 query U G T if this query already appears on the H2 list in a tuple (U β) Security Intuitions: Next we briefly explain why the proposed scheme can ensure the chosen-ciphertext security It follows two important facts First the re-encrypted ciphertext given in Eq (4) is indeed a ciphertext of the hashed CCA-secure ElGamal encryption [9 6 7] using the bilinear pairings and hence it is impossible for the adversary to gain any advantage through malicious manipulating the re-encrypted ciphertext Second the validity of the original ciphertext given in Eq () can be publicly verified by checking Eq (2) Thus it is also impossible for the adversary to maliciously manipulate the original ciphertext In the next subsection we show detailed security proofs 42 Security The proposed C-PRE scheme is IND-CPRE-CCA secure in the random oracle model as stated below Theorem Our C-PRE scheme is IND-CPRE-CCA secure in the random oracle model assuming the 3-QBDH assumption holds in groups (G G T ) Theorem follows directly from the following Lemma and 2 Lemma If there exists a (t q H q H2 q H3 q H4 q H5 q u q c q rk q ck q Type I IND-CPRE-CCA adversary A against our scheme then there exists an algorithm B which can solve the (t ɛ )- 3-QBDH problem in groups (G G T ) with ɛ ɛ q H2 e( + q rk ) qh ( + q d ) qre + q d 2 l 0+l q t t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d + (2q u + 2q c + q rk + q ck + q re + q H q re + 2q H q d + 3)t e + (6q re + where t e denotes the running time of an exponentiation in group G t p denotes the running time of a pairing in groups (G G T ) q Hi (i = 5) denotes the number of oracle queries to H i and q u q c q rk q ck q re and q d have the same meaning as those in Definition 2 Proof Suppose B is given as input a 3-QBDH challenge tuple (g g /a g a g (a2) g b ) with unknown a b $ Z q Algorithm B s goal is to output e(g g) b a 2 Algorithm B first picks u α α $ 2 Z q defines g = `g ) u (a2 f = `g (a2 ) α f = `g(a 2 ) α 2 and gives (g g f f ) to A Next B acts as a challenger and plays the IND-CPRE-CCA game with adversary A in the following way: return the predefined value β Otherwise choose β $ {0 } l 0+l add the tuple (U β) to the list H2 list and respond with H 2(U) = β H 3 queries: On receipt of an H 3 query (w pk i) if this query already appears on the H3 list in a tuple (w pk i s S) return the predefined value S Otherwise choose s $ Z q compute S = (g a ) s add the tuple (w pk i s S) to the H3 list and respond with H 3(w pk i) = S H 4 queries: On receipt of an H 4 query V G T if this query already appears on the H4 list in a tuple (V γ) return the predefined value γ Otherwise choose γ $ {0 } l 0+l add the tuple (V γ) to the H4 list and respond with H 4(V ) = γ H 5 queries: On receipt of an H 5 query (A B C) if this query already appears on the H5 list in a tuple (A B C η) return the predefined value η Otherwise choose η $ Z q add the tuple (A B C η) to the H list 5 and respond with H 5(A B C) = η
6 Phase In this phase adversary A issues a series of queries subject to the restrictions of the Type I IND-CPRE-CCA game B answers these queries for A as follows: Uncorrupted key generation query i : Algorithm B first picks x $ i Z q Next as in Coronaŕs proof technique [2] it flips a biased coin coin i {0 } that yields 0 with probability θ and with probability θ If coin i = 0 define pk i = (P i Q i) = (g a2 x i a g 2 x i ) = ((g (a2) ) x i x g u i ); else define pk i = (P i Q i) = (g ax i ax g i ) = ((g a ) x i (g a x ) u i ) Finally it returns pk i to adversary A and adds the tuple (pk i x i coin i) to the K list Corrupted key generation query j : Algorithm B first picks x j $ Z q and defines pk j = (P j Q j) = (g x j `g (a2 ) u/x j ) and coin j = Next it adds the tuple (pk j x j coin j) to the K list and returns (pk j x j) to adversary A Partial re-encryption key query pk i pk j : B first parses pk j as (P j Q j) and recovers tuples (pk i x i coin i) and (pk j x j coin j) from the K list Next it constructs the partial re-encryption key rk ij for adversary A according to the following situations: If coin i = it means that sk i = x i Algorithm B simply outputs rk ij = P /x i j If (coin i = coin j = 0) it means that sk i = ax i and sk j = a 2 x j B returns rk ij = (g a x ) i Note that this is a valid partial re-encryption key since (g a x j x ) i a 2 x j ax = g i sk i j = P If (coin i = coin j = ) or (coin i = 0 coin j = 0) algorithm B returns rk ij = g x j /x i If (coin i = coin j = ) or (coin i = 0 coin j = ) B returns rk ij = g /a xj /x i If (coin i = 0 coin j = ) B outputs failure and aborts Condition key query pk i w : Algorithm B first recovers tuple (pk i x i coin i) from the K list and tuple (w pk i s S) from the H3 list Next it constructs the condition key ck iw for adversary A according to the following cases: If coin i = it means that sk i = x i: Algorithm B responds with ck iw = S /x i If coin i = it means that sk i = ax i: Algorithm B responds with ck iw = g s/x i Note that this is x indeed a valid condition key since g s i ax = g as i = (g as ax ) i = H(w pk i) sk i If coin i = 0 it means that sk i = a 2 x i: B responds s/xi with ck iw = g /a Note that this is indeed s a valid condition key since g /a as xi = g a 2 x i = (g as ) a 2 x i = H(w pk i) sk i Re-encryption query pk i pk j (w CT i) : Algorithm B parses CT i as CT i = (A B C D) If Eq (2) does not hold it outputs ; otherwise it works as follows: Recover tuples (pk i x i coin i) and (pk j x j coin j) from the K list x j 2 Issue a condition key query pk i w to obtain the condition key ck iw 3 Finally generate the re-encrypted ciphertext according to the following two cases: coin i = 0 coin j = : search whether there exists a tuple (m r w r) H list such that g r = A and w = w If yes compute B = e(g Pj r ) C = C H 4(e(A ck iw )) and return CT j = (B C ) as the re-encrypted ciphertext to A; otherwise return Otherwise: Algorithm B first constructs the partial re-encryption key rk ij as in the partial re-encryption key queries and then runs algorithm ReEncrypt(CT i rk ij ck iw ) and finally returns the resulting re-encrypted ciphertext CT j to A Decryption query pk i (w CT) or pk i CT : Algorithm B parses pk i as pk i = (P i Q i) and then recovers tuple (pk i x i coin i) from the K list If coin i = (meaning sk i = x i) algorithm B decrypts the ciphertext using x i and returns the plaintext to A Otherwise it proceeds as follows Parse CT as CT = (A B C D) or CT = (B C) When CT = (A B C D) work as follows: if Eq (2) does not hold return else construct the condition key ck iw as in the condition key query and define C = C H 4(e(A ck iw )) 2 Search lists H list and H2 list to see whether there exist tuples (m r w r) H list and (U β) H2 list such that w = w P r i = B β (m r ) = C and U = e(g g) r If yes return m to A Otherwise return Challenge When A decides that Phase is over it outputs a target public key pk i a condition w and two equallength messages m 0 m {0 } l 0 Algorithm B responds as follows: Recover tuple (pk i x coin ) from the K list If coin 0 output failure and abort Otherwise (meaning sk i = a 2 x ) algorithm B continues to execute the following steps 2 Pick y $ Z q C $ {0 } l 0+l and define A = g uby B = g bx y D = g by (α H 5 (A B C )+α 2 ) 3 Construct the condition key ck i w as in the condition key query 4 Pick a random bit δ $ {0 } r $ {0 } l Implicitly define H (m δ r w ) = by and H a 2(e(g g) by 2 a 2 ) = C (m δ r ) H 4(e(A ck i w )) (note that B knows neither by nor e(g g) by a 2 a 2 ) 5 Return CT = (A B C D ) as the challenged ciphertext to adversary A Note that by the construction given above if let r by a 2 we can see that the challenged ciphertext CT has the same distribution as the real one since H 2 acts as a random oracle and
7 The simulation of the decryption oracle is perfect with the A = g uby = `g u) (a2 by a 2 = g r B = g bx y = `g exception a2 x by that simulation errors may occur in rejecting some a 2 = Pi r C = C `(m δ r ) H 4(e(A ck ) i w `(m valid ciphertexts However these errors are not significant as δ r ) H 4(e(A shown ck below: i w ) Suppose a ciphertext CT has been queried to = `C (m δ r ) H 4(e(A ck ) i w `(m the decryption oracle Even if CT is a valid ciphertext there δ r ) H 4(e(Q i is Ha 3(w possibility pk i ) ) r that CT can be produced without querying = H 2(e(g g) by a 2 ) `(m e(g g) δ r ) H 4(e(Q i H 3(w pk i ) ) r to H 2 where r = H (m r w) Let Valid be an r event that CT is valid Let AskH 2 and AskH respectively = H 2(e(g g) r ) (m δ r ) H 4(e(Q i H 3(w pk i ) r ) be events that e(g g) r has been queried to H 2 and (m r w) D = g by (α H 5 (A B C )+α 2 ) = g a2 α H 5 (A B C ) by has been queried to H g a2 α 2 a 2 = f H 5(A B C ) r We then have Pr[Valid AskH f 2] Pr[Valid AskH AskH 2] + Pr[Valid AskH Phase 2 A continues to issue the rest of queries as in Phase with the restrictions described in the Type I IND-CPRE- CCA game Algorithm B responds to these queries as in Phase Guees Eventually adversary A returns a guess δ {0 } to B Algorithm B randomly picks a tuple (U β) from the list H2 list and outputs U /y as the solution to the given 3-QBDH instance Analysis Now let s analyze the simulation The main idea of the analysis is borrowed from [9] We first evaluate the simulations of the random oracles From the constructions of H 3 H 4 and H 5 it is clear that the simulations of these oracles are perfect As long as adversary A does not query (m δ r w ) to H nor e(g g) by a 2 to H 2 where δ and r are chosen by B in the Challenge phase the simulations of H and H 2 are perfect By AskH we denote the event that (m δ r w ) has been queried to H Also by AskH 2 we denote the event that e(g g) by a 2 has been queried to H 2 As argued before the challenged ciphertext provided for A is identically distributed as the real one from the construction From the description of the simulation it can be seen that the responses to A s uncorrupted key generation queries corrupted key generation queries condition key queries are also perfect Next we analyze the simulation of the partial re-encryption key oracle and the Challenge phase Obviously if B does not abort during the simulation of the partial re-encryption key queries the response to A s partial re-encryption key queries is perfect Similarly if B does not abort in the Challenge phase the Challenge phase is also perfect Let Abort denote the event of B s aborting during the whole simulation Then we have Pr[ Abort] θ q rk ( θ) which is maximized at θ opt = q rk least +q rk Using θ opt the probability Pr[ Abort] is at e(+q rk ) We proceed to analyze the simulation of the re-encryption oracle The responses to adversary A s re-encryption queries are perfect unless A can submit valid original ciphertexts without querying hash function H (denote this event by ReEncErr) However since H acts as a random oracle and adversary A issues at most q re re-encryption queries we have Pr[ReEncErr] qre q Now we evaluate the simulation of the decryption oracle Pr[AskH AskH 2] + Pr[Valid AskH AskH Let DecErr be the event that Valid AskH 2 happens during the entire simulation Then since q d decryption oracles are issued we have Pr[DecErr] q H q d 2 l 0 +l + q d q Now let Good denote the event (AskH 2 (AskH AskH 2) ReEncErr DecErr) Abort If event Good does not happen due to the randomness of the output of the random oracle H 2 it is clear that adversary A can not gain any advantage greater than in guessing δ Namely we have 2 Pr[δ = δ Good] = Hence by splitting 2 Pr[δ = δ] we have Pr[δ = δ] = Pr[δ = δ Good]Pr[ Good] + Pr[δ = δ Good]Pr[Good 2 Pr[ Good] + Pr[Good] = ( Pr[Good]) + Pr[Good 2 and Pr[δ = δ] Pr[δ = δ Good]Pr[ Good] = 2 ( Pr[Good]) = 2 2 P By definition of the advantage for the Type I IND-CPRE- CCA adversary we then have ɛ = 2 Pr[δ = δ] Pr[Good] = Pr[(AskH 2 (AskH AskH 2) ReEncErr DecErr) = (Pr[AskH 2] + Pr[AskH AskH 2] + Pr[ReEncErr + Pr[DecErr]) Pr[ Abort] Since Pr[AskH AskH 2] q H Pr[DecErr] q H q d + q 2 l 0 +l 2 l 0 +l d q Pr[ReEncErr] qre and Pr[ Abort] q e(+q rk we obtain ) Pr[AskH 2] Pr[ Abort] ɛ Pr[AskH AskH 2] Pr[DecErr] Pr[ ɛ e( + q rk ) qh qh q d q d 2 l 0+l 2 l 0+l q qre q = ɛ e( + q rk ) Meanwhile if event AskH 2 happens algorithm B will be able to solve the 3-QBDH instance by picking e(g g) by /y a 2 from the list H list 2 Consequently we obtain ɛ Pr[AskH 2] ɛ q H2 q H2 e( + q rk ) qh ( + q d ) qre + q d 2 l 0+l q
8 From the description of the simulation the running time of algorithm B can be bounded by t hold: t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d )O() + (2q u + 2q c + q rk + q ck + q re + q H q re + 2q H q d + 3)t e + (6q re + 5qe(A d + )t P i) p = e(g B) This completes the proof of Lemma Next we prove that under the 2-QBDH assumption there exists no Type II IND-CPRE-CCA adversary A against our scheme with non-negligible probability Note that the 2- QBDH assumption is weaker than the 3-QBDH assumption and is implied by the latter Lemma 2 If there exists a (t q H q H2 q H3 q u q c q rk q ck q re q d ɛ) Type II IND-CPRE-CCA adversary A against our scheme then there exists an algorithm B which can solve the (t ɛ )- 2-QBDH problem in groups (G G T ) with ɛ ɛ q H4 e( + q ck ) qh ( + q d ) qre + q d 2 l 0+l q t If B = e(g g) x H (mr {w t } t {k kn}) return t + (q H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q d )O() m else return + (2q u + 2q c + q rk + q ck + 2q re + q H q re + 2q H q d + 3)t e + (6q re + 4q d + q H q d + )t p where t e t p q Hi (i = 5) q u q c q rk q ck q re and q d have the same meaning as Lemma The proof is in Appendix A 5 EXTENSIONS In this section we extend our C-PRE scheme to obtain a conditional proxy re-encryption system with multiple conditions (MC-PRE) In a MC-PRE system the proxy with a partial re-encryption key rk ij can translate ciphertexts associated with a set of conditions {w t} t {k k n} from user U i to user U j if and only if he has all the condition keys {ck iwt } t {k k n} with respect to these conditions Based on the C-PRE scheme in Section 4 we present a MC-PRE scheme The proposed MC-PRE scheme consists of seven algorithms where GlobalSetup KeyGen RKeyGen and CKeyGen are the same as those in the C-PRE scheme and the other three algorithms are specified as below: Encrypt(pk m {w t} t {k k n}): On input a public key pk = (P Q) a plaintext m {0 } l 0 and a set of conditions {w t} t {k k n} this algorithm works as below: Pick r $ {0 } l and compute r = H (m r {w t} t {k This k n}) research is supported by the Office of Research Singapore Management University 2 Compute A = g r B = P r C = H 2 (e(g g) r ) (m r ) H 4 e`q ` Q H 3(w t pk) r and t {k k n} r D = f H5(ABC) f 3 Output the original ciphertext CT = (A B C D) ReEncrypt(CT i rk ij {ck iwt } t {k k n}): On input a ciphertext CT i associated with a set of conditions {w t} t {k k n} under public key pk i a partial re-encryption key rk ij and a set of condition key {ck iwt } t {k k n} it generates the ciphertext under key pk j as follows: Parse pk i = (P i Q i) and CT i = (A B C D) 2 Check whether both of the following equalities e(a f H5(ABC) f ) = e(g D) (5) If not output ; otherwise compute B = e(b rk ij) C = C H 4 e(a Q t {k k n} ck iwt ) and output the re-encrypted ciphertext CT j = (B C ) Decrypt(CT sk): On input a secret key sk = x and a ciphertext CT under public key pk this algorithm works according to two cases: CT is an original ciphertext associated with a set of conditions {w t} t {k k n} ie CT = (A B C D): Check whether Eq (5) holds If not output Otherwise compute (m r Q ) = C H 4 e(a H 3(w t {k k n} H 2`e(B g) /x and if B = g x H (mr {w t } t {k kn}) return m else return CT = (B C ): Compute (m r ) = C H 2(B /x ) Interestingly the number of bilinear pairings needed in the above MC-PRE scheme is independent of the number of conditions and the efficiency of this MC-PRE scheme is comparable to that of the C-PRE scheme in Section 4 Similarly to the C-PRE scheme the chosen-ciphertext security of the proposed scheme can be proved under the 3- QBDH assumption Of course the security model should be slightly modified to address the situations under multiple conditions Due to the space limit we omit the security model and proofs 6 CONCLUSIONS AND OPEN QUESTIONS In this paper we tackle the problem of how to control the proxy in PRE systems at a fine-grained level We introduce the concept of conditional proxy re-encryption We formalize its definition and its security notions and propose a CCA-secure C-PRE scheme We further extend this C- PRE scheme to support multiple conditions with reasonable overhead The conditions in our proposed solution are limited to keywords It remains as an interesting open problem how to construct CCA-secure C-PRE schemes with anonymous conditions or boolean predicates Acknowledgment 7 REFERENCES [] G Ateniese K Fu M Green and S Hohenberger Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage In Proc of NDSS 2005 pp [2] G Ateniese K Fu M Green and S Hohenberger Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage ACM Transactions on Information and System Security (TISSEC) 9():-30 February 2006
9 [3] D Boneh and X Boyen Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles In advances in Cryptology-Eurocrypt 04 LNCS 3027 pp Springer-Verlag 2004 [4] M Blaze G Bleumer and M Strauss Divertible Protocols and Atomic Proxy Cryptography In advances in Cryptology-Eurocrypt 98 LNCS 403 pp Springer-Verlag 998 [5] D Boneh G D Crescenzo R Ostrovsky and G Persiano Public Key Encryption with Keyword Search In Advanecs in Cryptology-Eurocrypt 04 LNCS 3027 pp Springer-Verlag 2004 [6] D Boneh and M Franklin Identity based encryption from the Weil pairing In Advanecs in Cryptology-Crypto 0 LNCS 239 pp Springer-Verlag 200 [7] D Boneh E-J Goh and T Matsuo Proposal for P3633 Proxy Re-encryption [8] D Boneh E-J Goh K Nissim Evaluating 2-DNF Formulas on Ciphertexts In Proc of TCC 05 LNCS 3378 pp Springer-Verlag 2005 [9] J Baek R Safavi-Naini and W Susilo Certificatless Public Key Encryption without Pairing In Proc of ISC 05 LNCS 3650 pp Springer-Verlag 2005 [0] D Boneh B Waters Conjunctive Subset and Range Queries on Encrypted Data In Proc of TCC 07 LNCS 4392 pp Springer-Verlag 2007 [] R Caneti and S Hohenberger Chosen-Ciphertext Secure Proxy Re-Encryption In Proc of ACM CCS 2007 pp ACM Press 2007 [2] J-S Coron On the Exact Security of Full Domain Hash In advances in Cryptology-Crypto 00 LNCS 880 pp Springer-Verlag 2000 [3] C Chu and W Tzeng Identity-Based Proxy Re-Encryption without Random Oracles In Proc of ISC 07 LNCS 4779 pp Springer-Verlag 2007 [4] Y Dodis and A-A Ivan Proxy Cryptography Revisited In Proc of NDSS [5] R H Deng J Weng S Liu K Chen Chosen-Cipertext Secure Proxy Re-Encryption without Pairings To appear in CANS 08 Springer-Verlag 2008 [6] T ElGamal A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms In Advances in Cryptology-Crypto 84 LNCS 96 pp0-8 Springer-Verlag 984 [7] E Fujisaki and T Okamoto Secure Integration of Asymmetric and Symmetric Encryption Schemes In Advances in Cryptology-Crypto 99 LNCS 666 pp Springer-Verlag 999 [8] M Green and G Ateniese Identity-Based Proxy Re-Encryption In Proc of ACNS 07 LNCS 452 pp Springer-Verlag 2007 [9] P Golle M Jakobsson A Juels and P F Syverson Universal Re-Encryption for Mixnets In Proc of CT-RSA 04 LNCS 2964 pp Springer-Verlag 2004 [20] P Golle J Staddon and B Waters Secure Conjunctive Keyword Search over Encrypted Data In Proc of ACNS 04 LNCS 3089 pp 3-45 Springer-Verlag 2004 [2] M Jakobsson On Quorum Controlled Asummetric Proxy Re-Encryption In Proc of PKC 99 LNCS 560 pp 2-2 Springer-Verlag 999 [22] J Katz A Sahai and B Waters: Predicate Encryption Supporting Disjunctions Polynomial Equations and Inner Products In advances in Cryptology-Eurocrypt 08 LNCS 4965 pp Springer-Verlag 2008 [23] B Libert and D Vergnaud Unidirectional Chosen-Ciphertext Secure Proxy Re-encryption In Proc of PKC 08 LNCS 4929 pp Springer-Verlag 2008 [24] B Libert and D Vergnaud Tracing Malicious Proxies in Proxy Re-Encryption In Proc of Pairing 08 LNCS 5209 pp Springer-Verlag 2008 [25] T Matsuo Proxy Re-Encryption Systems for Identity-Based Encryption In Proc of Paring 07 LNCS 4575 PP Springer-Verlag 2007 [26] Masahiro Mambo and Eiji Okamoto Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts IEICE Trans Fund Electronics Communications and Computer Science E80-A/: [27] E Shi B Waters: Delegating Capabilities in Predicate Encryption Systems In Proc of ICALP (2) 2008 LNCS 526 pp Springer-Verlag 2008 Appendix A Proof of Lemma 2 Proof Suppose B is given as input a 2-QBDH challenge tuple (g g /a g a g b ) with unknown a b $ Z q Algorithm B s goal is to output e(g g) b/a2 Algorithm B first picks u α α 2 $ Z q defines g = g u f = (g a ) α f = (g a ) α 2 and gives (g g f f ) to A Next B acts as a challenger and plays the Type II IND-CPRE-CCA game with adversary A in the following way: Hash Oracle Queries B maintains five hash lists H list i with i { 5} and responds in the same way as in the proof of Lemma except that H 3 queries are conducted in the following way: H 3 queries: On receipt of an H 3 query (w pk i) if this query already appears on the H3 list in a tuple (w pk i s S coin) return the predefined value S Otherwise pick s $ Z q and flip a random biased coin coin {0 } that yields 0 with probability θ and with probability θ If coin = 0 then the hash value H 3(w pk i) is defined as S = g s else S = g bs Finally S is returned to A and (w pk i s S coin) is added to the H3 list Phase In this phase A issues a series of queries subject to the restrictions of the Type II IND-CPRE-CCA game B maintains a list K list and answers these queries as follows: Uncorrupted key generation query i : B first picks x $ i Z q and defines pk i = (P i Q i) = (g ax i ax g i ) = ((g a ) x i (g a u ) xi ) Next it defines c i = 0 adds the tuple (pk i x i c i) to the K list and returns pk i to adversary A Here the bit c i is used to denote whether the secret key with respect to pk i is corrupted ie c i = 0 indicates uncorrupted and c i = means corrupted Corrupted key generation query j : B first picks x j Z q and defines pk j = (P j Q j) = (g x j x g u j ) c j = Next it adds the tuple (pk j x j c j) to the K list and returns (pk j x j) to A Partial re-encryption key query pk i pk j : B recovers tuples (pk i x i c i) and (pk j x j c j) from the K list and constructs the partial re-encryption key rk ij for A according to the following cases: If c i = c j Respond with rk ij = g x j /x i If c i = c j = 0 Respond with rk ij = (g a ) x j /x i xj If c i = 0 c j = Respond with rk ij = g /a /x i $
10 Condition key query pk i w : B first recovers the tuple 4 Pick δ $ {0 } and r $ {0 } l Implicitly define (pk i x i c i) from the K list and the tuple (w pk i s S coin) from the H3 list H Next it constructs the condition key (m δ r w ) = y and H4(e(g g) ubs y a a x ) = C ck iw for adversary A according to the following cases: (m δ r ) H 2(e(g g a ) y ) (note that algorithm B knows If c i = it means that sk i = x i Algorithm B neither y responds with ck iw = S /x i y a a x ) 5 Return CT = (A B C D ) as the challenged ciphertext to adversary A If c i = 0 coin = 0 it means that sk i = ax i and H 3(w pk i) = g s i Algorithm B responds with si ck iw = g /a /x i Note that by the construction given above if let r y a If c i = 0 coin = it means that sk i = ax i and we can see that the challenged ciphertext CT has the same H 3(w pk i) = g bs i Algorithm B outputs failure and aborts distribution as the real one since H 2 and H 4 act as random oracles and Re-encryption query pk i pk j (w CT i) : B parses pk i = A (P i Q i) pk j = (P j Q j) and CT i = (A B C D) If Eq = `g /a uy = `g u y /a = g r (2) does not hold it outputs ; otherwise it acts as B = g x y = `g ax y /a = Pi r follows: Recover tuples (pk i x i c i) and (pk j x j c j) from C = (m δ r ) H 2(e(g g /a ) y ) `C (m δ r ) H 2(e(g g /a ) y ) the K list 2 Issue a partial re-encryption key query to obtain = (m δ r ) H 2(e(g g) y a ) H4(e(g g) ubs y a 2 x ) the partial re-encryption key rk ij 3 Recover the tuple (w pk i s S coin) from the H3 list = (m δ r ) H 2(e(g g) y a ) H4(e((g u ) ax g bs ) y a ) and produce the re-encrypted ciphertext according = (m δ r ) H 2(e(g g) r ) H 4(e(Q i H 3(w pk i ) r ) to the following two cases: c i = 0 coin = : Search whether there exists a D = g (α H 5 (A B C )+α 2 )y = `g a(α H 5 (A B C )+α 2 ) y /a = `f H 5( tuple (m r w r) H list such that g r = A and w = w If yes compute B = e(g Pj r ) C = Phase 2 Adversary A continues to issue the rest of queries C H 4(e(Q i S r )) and return CT j = (B C ) as in Phase with the restrictions described in the Type II as the re-encrypted ciphertext to A; otherwise IND-CPRE-CCA game B responds to these queries as in return Otherwise: Algorithm B first constructs the Phase condition key ck iw as in the condition key queries and then returns ReEncrypt(CT i rk ij ck iw ) Guees Eventually adversary A outputs a guess δ {0 } to A Algorithm B randomly picks a tuple (V γ) from the list H4 list Decryption query pk i (w CT) or pk i CT : Algorithm B responds as follows: instance and outputs V x us y as the solution to the given 2-QBDH Parse pk i as (P i Q i) Recover the tuple (pk i x i c i) from the K list If c i = (ie sk i = x i) decrypt CT using x i and return the resulting plaintext to Analysis Similarly to the analysis in Lemma it can be A seen that B s advantage against the 2-QBDH problem is at 2 Parse CT as CT = (A B C D) or CT = (B C) least When CT = (A B C D) return if Eq (2) does ɛ ɛ not hold q 3 Search lists H list and H2 list H4 e( + q ck ) qh ( + q d ) qre + q d 2 l 0+l q to see whether there exist tuples (m r w r) H list and (U β) H2 list and B s running time is bounded by such that t t + (q j Pi r = B U = e(g g) r w = w H + q H2 + q H3 + q H4 + q H5 + q u + q c + q rk + q ck + q re + q β (m r + (2q ) = C If CT=(A B C D); u + 2q c + q rk + q ck + 2q re + q H q re + 2q H q d + 3)t e + (6q re and β (m r ) H 4(e(Q i H 3(w pk i)) r ) = C If CT=(B C) If yes return m to A Otherwise return This completes the proof of Lemma 2 Challenge When A decides that Phase is over it outputs a target public key pk i = (P i Q i ) a condition w and two equal-length messages m 0 m {0 } l 0 Algorithm B responds as follows: Recover the tuple (w pk i s S coin ) from the H list 3 If coin = 0 output failure and abort Otherwise (meaning that H 3(w pk i ) = g bs ) continue to execute the rest steps 2 Recover the tuple (pk i x c ) from the K list 3 Pick y $ Z q and C $ {0 } l 0+l Define A = g /a uy B = g x y D = g (α H 5 (A B C )+α 2 )y
Lecture 17: Re-encryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationLecture 25: Pairing-Based Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationCategorical Heuristic for Attribute Based Encryption in the Cloud Server
Categorical Heuristic for Attribute Based Encryption in the Cloud Server R. Brindha 1, R. Rajagopal 2 1( M.E, Dept of CSE, Vivekanandha Institutes of Engineering and Technology for Women, Tiruchengode,
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationImproved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage
Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage GIUSEPPE ATENIESE The Johns Hopkins University KEVIN FU University of Massachusetts, Amherst MATTHEW GREEN The Johns
More informationSecure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data
Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationSecure Conjunctive Keyword Search Over Encrypted Data
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle 1 and Jessica Staddon 1 and Brent Waters 2 1 Palo Alto Research Center 3333 Coyote Hill Road Palo Alto, CA 94304, USA E-mail: {pgolle,staddon}@parc.com
More informationImproved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage
Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage Giuseppe Ateniese Kevin Fu Matthew Green Susan Hohenberger Abstract In 1998, Blaze, Bleumer, and Strauss (BBS) proposed
More informationSharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment
Sharing Of Multi Owner Data in Dynamic Groups Securely In Cloud Environment Deepa Noorandevarmath 1, Rameshkumar H.K 2, C M Parameshwarappa 3 1 PG Student, Dept of CS&E, STJIT, Ranebennur. Karnataka, India
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationKeyword Search over Shared Cloud Data without Secure Channel or Authority
Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department
More informationSecure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud
1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume
More informationIdentity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationAnalysis of Privacy-Preserving Element Reduction of Multiset
Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes
More informationPublic Key Encryption with Keyword Search Revisited
Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationLecture 3: One-Way Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationTime-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment
Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,
More informationImproved Anonymous Proxy Re-encryption with CCA Security
Improved Anonymous Proxy Re-encryption with CCA Security Qingi Zheng Department of Computer Science University of Texas at San Antonio, TX, USA qingizheng@gmail.com Wei Zhu Julymobile Tech Co., Ltd Anhui,
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationPublic Key Encryption that Allows PIR Queries
Public Key Encryption that Allows PIR Queries Dan Boneh Eyal Kushilevitz Rafail Ostrovsky William E Skeith III Appeared at CRYPTO 2007: 50-67 Abstract Consider the following problem: Alice wishes to maintain
More informationOverview of Public-Key Cryptography
CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationDefinitions for Predicate Encryption
Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on
More informationMulti-Input Functional Encryption for Unbounded Arity Functions
Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationEnforcing Role-Based Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationSELS: A Secure E-mail List Service *
SELS: A Secure E-mail List Service * Himanshu Khurana NCSA Work done with Adam Slagell and Rafael Bonilla * To appear in the Security Track of the ACM Symposium of Applied Computing (SAC), March 2005.
More information3-6 Toward Realizing Privacy-Preserving IP-Traceback
3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationLecture 5 - CPA security, Pseudorandom functions
Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationReusable Anonymous Return Channels
Reusable Anonymous Return Channels Philippe Golle Stanford University Stanford, CA 94305, USA pgolle@cs.stanford.edu Markus Jakobsson RSA Laboratories Bedford, MA 01730, USA mjakobsson@rsasecurity.com
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationConcrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption
Concrete Attribute-Based Encryption Scheme with Verifiable Outsourced Decryption Abstract: Charan 1, K Dinesh Kumar 2, D Arun Kumar Reddy 3 1 P.G Scholar, 2 Assistant Professor, 3 Associate Professor 1,2,3
More informationSecure Data Management Scheme using One-Time Trapdoor on Cloud Storage Environment
, pp.257-272 http://dx.doi.org/10.14257/ijsia.2014.8.1.24 Secure Data Management Scheme using One-Time Trapdoor on Cloud Storage Environment Sun-Ho Lee and Im-Yeong Lee 1 Department of Computer Software
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationMulti-Channel Broadcast Encryption
Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content
More informationComments on "public integrity auditing for dynamic data sharing with multi-user modification"
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers Faculty of Engineering and Information Sciences 2016 Comments on "public integrity auditing for dynamic
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationSecure File Sharing in the Cloud by Row Complete Matrix Re-encryption Method
Secure File Sharing in the Cloud by Row Complete Matrix Re-encryption Method Tzeng, Jengnan National Chengchi University, Taipei, Taiwan Tsai, Jer-Min Kun Shan University, Yung-Kang, Taiwan Chen, I-Te
More informationProvably Secure Timed-Release Public Key Encryption
Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationDemocratic Group Signatures on Example of Joint Ventures
Democratic Group Signatures on Example of Joint Ventures Mark Manulis Horst-Görtz Institute Ruhr-University of Bochum D-44801, Germany EMail: mark.manulis@rub.de Abstract. In the presence of economic globalization
More informationA SECURE FRAMEWORK WITH KEY- AGGREGATION FOR DATA SHARING IN CLOUD
A SECURE FRAMEWORK WITH KEY- AGGREGATION FOR DATA SHARING IN CLOUD Yerragudi Vasistakumar Reddy 1, M.Purushotham Reddy 2, G.Rama Subba Reddy 3 1 M.tech Scholar (CSE), 2 Asst.Professor, Dept. of CSE, Vignana
More informationCLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION
CLOUD COMPUTING SECURITY IN UNRELIABLE CLOUDS USING RELIABLE RE-ENCRYPTION Chandrala DN 1, Kulkarni Varsha 2 1 Chandrala DN, M.tech IV sem,department of CS&E, SVCE, Bangalore 2 Kulkarni Varsha, Asst. Prof.
More informationAn Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud
An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay Madria Professor and Site Director for NSF I/UCRC Center on Net-Centric Software and Systems Missouri University
More informationIdentity-based Encryption with Efficient Revocation
A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationPublic Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt
More informationSecure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve
Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationSYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1
SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct
More informationSome Identity Based Strong Bi-Designated Verifier Signature Schemes
Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,
More informationSecure Computation Without Authentication
Secure Computation Without Authentication Boaz Barak 1, Ran Canetti 2, Yehuda Lindell 3, Rafael Pass 4, and Tal Rabin 2 1 IAS. E:mail: boaz@ias.edu 2 IBM Research. E-mail: {canetti,talr}@watson.ibm.com
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationWildcarded Identity-Based Encryption
Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationOn the Difficulty of Software Key Escrow
On the Difficulty of Software Key Escrow Lars R. Knudsen and Torben P. Pedersen Katholieke Universiteit Leuven, Belgium, email: knudsen@esat.kuleuven.ac.be Cryptomathic, Denmark, email: tpp@cryptomathic.aau.dk
More informationCryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones
Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones Gwenaëlle Martinet 1, Guillaume Poupard 1, and Philippe Sola 2 1 DCSSI Crypto Lab, 51 boulevard de La Tour-Maubourg
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationVerifiable Outsourced Computations Outsourcing Computations to Untrusted Servers
Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation
More informationSECURE AND EFFICIENT PRIVACY-PRESERVING PUBLIC AUDITING SCHEME FOR CLOUD STORAGE
International Journal of Computer Network and Security(IJCNS) Vol 7. No.1 2015 Pp. 1-8 gopalax Journals, Singapore available at : www.ijcns.com ISSN: 0975-8283 ----------------------------------------------------------------------------------------------------------------------------------------------------------
More informationNon-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions
Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)
More informationFoundations of Group Signatures: The Case of Dynamic Groups
A preliminary version of this paper appears in Topics in Cryptology CT-RSA 05, Lecture Notes in Computer Science Vol.??, A. Menezes ed., Springer-Verlag, 2005. This is the full version. Foundations of
More informationAn Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure
More informationBreaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring
Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2
More informationSheltered Multi-Owner Data distribution For vibrant Groups in the Cloud
Sheltered Multi-Owner Data distribution For vibrant Groups in the Cloud I.sriram murthy 1 N.Jagajeevan 2 II M-Tech student Assistant.Professor Department of computer science & Engineering Department of
More informationKeywords: Authentication, Third party audit, cloud storage, cloud service provider, Access control.
Volume 5, Issue 3, March 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Identity Based
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationEfficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationThe Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)
The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication
More informationSecurity Analysis for Order Preserving Encryption Schemes
Security Analysis for Order Preserving Encryption Schemes Liangliang Xiao University of Texas at Dallas Email: xll052000@utdallas.edu Osbert Bastani Harvard University Email: obastani@fas.harvard.edu I-Ling
More informationBatch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes
Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,
More informationNEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA
THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica
More informationCryptanalysis of Cloud based computing
Cryptanalysis of Cloud based computing COMP 4109 Elom Tsiagbey Overview Introduction Recent threats to cloud computing Key Management models Conclusion Proposed key management model What is Cloud Computing?
More informationEFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE
EFFICIENT AND SECURE ATTRIBUTE REVOCATION OF DATA IN MULTI-AUTHORITY CLOUD STORAGE Reshma Mary Abraham and P. Sriramya Computer Science Engineering, Saveetha University, Chennai, India E-Mail: reshmamaryabraham@gmail.com
More informationImproved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage
Improved Proxy Re-Encryption Schemes with Applications to Secure Distributed Storage Giuseppe Ateniese Kevin Fu Matthew Green Susan Hohenberger Abstract In 1998, Blaze, Bleumer, and Strauss (BBS) proposed
More informationNew Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings
New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh Safavi-Naini 1 and Chih-Yin Lin 2 1 School of Information Technology and Computer
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More information