Identity based cryptography

Size: px
Start display at page:

Download "Identity based cryptography"

Transcription

1 Identity based cryptography The case of encryption schemes David Galindo Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography p. 1/25

2 Outline Motivation Identity based cryptography p. 2/25

3 Outline Motivation Definitions Identity Based Encryption (IBE) Secure IBEs Identity based cryptography p. 2/25

4 Outline Motivation Definitions Identity Based Encryption (IBE) Secure IBEs Bilinear maps and problems Identity based cryptography p. 2/25

5 Outline Motivation Definitions Identity Based Encryption (IBE) Secure IBEs Bilinear maps and problems Schemes 2001 Boneh&Franklin scheme (ROM) 2004 Waters scheme (standard model) Identity based cryptography p. 2/25

6 Outline Motivation Definitions Identity Based Encryption (IBE) Secure IBEs Bilinear maps and problems Schemes 2001 Boneh&Franklin scheme (ROM) 2004 Waters scheme (standard model) Future research Identity based cryptography p. 2/25

7 Motivation: PKI To use Public Key Cryptography we need to bind identities and keys. Public Key Infrastructures Identity based cryptography p. 3/25

8 Motivation: PKI To use Public Key Cryptography we need to bind identities and keys. Public Key Infrastructures A Certification Authority (CA) issues certificates: U user s identity PK public key D 1 issue date D 2 expiration date Identity based cryptography p. 3/25

9 Motivation: PKI To use Public Key Cryptography we need to bind identities and keys. Public Key Infrastructures A Certification Authority (CA) issues certificates: U user s identity PK public key D 1 issue date D 2 expiration date Certificate(U, P K) Sig CA (U,PK,D 1,D 2 ) Identity based cryptography p. 4/25

10 Motivation: PKI To use Public Key Cryptography we need to bind identities and keys. Public Key Infrastructures A Certification Authority (CA) issues certificates: U user s identity PK public key D 1 issue date D 2 expiration date Certificate Revocation Problem Certificate(U, P K) Sig CA (U,PK,D 1,D 2 ) Identity based cryptography p. 4/25

11 Motivation: PKI (ii) Before performing the cryptographic operation involving the public key, we must validate Certificate(U, P K). Identity based cryptography p. 5/25

12 Motivation: PKI (ii) Before performing the cryptographic operation involving the public key, we must validate Certificate(U, P K). Easy for signature schemes. User U sends the certificate along with its signature on a message m (Certificate(U,PK), Sig PK (m),m) Identity based cryptography p. 5/25

13 Motivation: PKI (ii) Before performing the cryptographic operation involving the public key, we must validate Certificate(U, P K). Easy for signature schemes. User U sends the certificate along with its signature on a message m (Certificate(U,PK), Sig PK (m),m) Difficult for encryption schemes. Before sending a message m to user U, we should know if it is in possession of a valid certificate. Identity based cryptography p. 5/25

14 Motivation: PKI (ii) Before performing the cryptographic operation involving the public key, we must validate Certificate(U, P K). Easy for signature schemes. User U sends the certificate along with its signature on a message m (Certificate(U,PK), Sig PK (m),m) Difficult for encryption schemes. Before sending a message m to user U, we should know if it is in possession of a valid certificate. We would like to perform the public operation without extra communication. Identity based cryptography p. 5/25

15 Identity Based Encryption (IBE) Identity based cryptography p. 6/25

16 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID Identity based cryptography p. 6/25

17 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID An IBE scheme consists of 4 algorithms: Setup Takes a security parameter l and outputs system paramaters params and master-key. Identity based cryptography p. 6/25

18 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID An IBE scheme consists of 4 algorithms: Setup Takes a security parameter l and outputs system paramaters params and master-key. Encrypt Takes as inputs params, ID {0, 1} and message M and outputs a ciphertext C. Identity based cryptography p. 6/25

19 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID An IBE scheme consists of 4 algorithms: Setup Takes a security parameter l and outputs system paramaters params and master-key. Encrypt Takes as inputs params, ID {0, 1} and message M and outputs a ciphertext C. ExtractPrivateKey Takes as inputs params, master-key and ID {0, 1} and outputs a private decryption key d ID. Identity based cryptography p. 6/25

20 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID An IBE scheme consists of 4 algorithms: Setup Takes a security parameter l and outputs system paramaters params and master-key. Encrypt Takes as inputs params, ID {0, 1} and message M and outputs a ciphertext C. ExtractPrivateKey Takes as inputs params, master-key and ID {0, 1} and outputs a private decryption key d ID. Decrypt Takes as inputs params, private key d ID and message C and outputs a message M. Identity based cryptography p. 6/25

21 Identity Based Encryption (IBE) Main idea The public key is an identity ID {0, 1} A Key Generation Center KGC issues private keys for ID An IBE scheme consists of 4 algorithms: Setup Takes a security parameter l and outputs system paramaters params and master-key. Encrypt Takes as inputs params, ID {0, 1} and message M and outputs a ciphertext C. Certificate revocation problem can be avoided using ID = bob@company.com year month day Identity based cryptography p. 7/25

22 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Identity based cryptography p. 8/25

23 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Identity based cryptography p. 8/25

24 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Identity based cryptography p. 8/25

25 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Identity based cryptography p. 8/25

26 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Phase 2 As in Phase 1, except submitting ID ch. Identity based cryptography p. 8/25

27 Security notions for IBE schemes IND-ID-CPA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Phase 2 As in Phase 1, except submitting ID ch. Guess A outputs a bit b and wins if b = b. Identity based cryptography p. 8/25

28 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Identity based cryptography p. 9/25

29 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Identity based cryptography p. 9/25

30 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Decryption query ID i, C i Identity based cryptography p. 9/25

31 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Decryption query ID i, C i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Identity based cryptography p. 9/25

32 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Decryption query ID i, C i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Phase 2 As in Phase 1, except submitting ID ch. Identity based cryptography p. 9/25

33 Security notions for IBE schemes IND-ID-CCA security for an IBE scheme E Initialization The challenger runs setup, gives the adversary A the description of E, params and keeps d ID secret. Phase 1 A issues adaptive queries of the type Extraction query ID i Decryption query ID i, C i Challenge A outputs two equal length M 0,M 1 and an ID ch on which it wishes to be challenged. The challenger b {0, 1} and sets C = Encrypt(params,ID ch,m b ) Phase 2 As in Phase 1, except submitting ID ch. Guess A outputs a bit b and wins if b = b. Identity based cryptography p. 9/25

34 Bilinear maps and bilinear groups Let G, G T be prime order p abelian groups in which the discrete logarithm is believed to be hard. Identity based cryptography p. 10/25

35 Bilinear maps and bilinear groups Let G, G T be prime order p abelian groups in which the discrete logarithm is believed to be hard. By a bilinear map we will refer to a non-degenerate bilinear function t : G G G T. Identity based cryptography p. 10/25

36 Bilinear maps and bilinear groups Let G, G T be prime order p abelian groups in which the discrete logarithm is believed to be hard. By a bilinear map we will refer to a non-degenerate bilinear function t : G G G T. Computational Diffie-Hellman problem on G Given P,aP,bP G as input, compute abp G, where a Z p. Identity based cryptography p. 10/25

37 Bilinear maps and bilinear groups Let G, G T be prime order p abelian groups in which the discrete logarithm is believed to be hard. By a bilinear map we will refer to a non-degenerate bilinear function t : G G G T. Computational Diffie-Hellman problem on G Given P,aP,bP G as input, compute abp G, where a Z p. Decisional Diffie-Hellman problem on G Given P,aP,bP,cP G as input, output yes if c = ab and no otherwise, where a,b Z p. Identity based cryptography p. 10/25

38 Bilinear maps and bilinear groups Let G, G T be prime order p abelian groups in which the discrete logarithm is believed to be hard. By a bilinear map we will refer to a non-degenerate bilinear function t : G G G T. Computational Diffie-Hellman problem on G Given P,aP,bP G as input, compute abp G, where a Z p. Decisional Diffie-Hellman problem on G Given P,aP,bP,cP G as input, output yes if c = ab and no otherwise, where a,b Z p. (P,aP,bP,cP) is a DH tuple iff t(ap,bp) = t(p,abp). Identity based cryptography p. 10/25

39 BDH problems Identity based cryptography p. 11/25

40 BDH problems Bilinear Diffie-Hellman (BDH) Problem on G. Given P,aP,bP,cP G as input, compute W = t(p,p) abc G T. Identity based cryptography p. 11/25

41 BDH problems Bilinear Diffie-Hellman (BDH) Problem on G. Given P,aP,bP,cP G as input, compute W = t(p,p) abc G T. Decision Bilinear Diffie-Hellman (DBDH) Problem on G. Given P,aP,bP,cP G as input, and T G T,; output yes if T = t(p,p) abc and no otherwise. Identity based cryptography p. 11/25

42 Boneh-Franklin identity based encryption scheme Identity based cryptography p. 12/25

43 Basic scheme An IND-ID-CPA is defined first. BasicIdent Identity based cryptography p. 13/25

44 Basic scheme An IND-ID-CPA is defined first. BasicIdent Setup. Choose P G, s Z p and set P pub = sp G. Identity based cryptography p. 13/25

45 Basic scheme An IND-ID-CPA is defined first. BasicIdent Setup. Choose P G, s Z p and set P pub = sp G. Choose H 1 : {0,1} G and H 2 : G T {0,1} n. Identity based cryptography p. 13/25

46 Basic scheme An IND-ID-CPA is defined first. BasicIdent Setup. Choose P G, s Z p and set P pub = sp G. Choose H 1 : {0,1} G and H 2 : G T {0,1} n. Set M = {0,1} n and C = G {0,1} n. Identity based cryptography p. 13/25

47 Basic scheme An IND-ID-CPA is defined first. BasicIdent Setup. Choose P G, s Z p and set P pub = sp G. Choose H 1 : {0,1} G and H 2 : G T {0,1} n. Set M = {0,1} n and C = G {0,1} n. params = p, G, G T, t, P, P pub, H 1, H 2. The master-key is s Z p. Identity based cryptography p. 13/25

48 Basic scheme Extract. Given ID {0,1}, compute Q ID = H 1 (ID) G. Set d ID = sq ID G. Identity based cryptography p. 14/25

49 Basic scheme Extract. Given ID {0,1}, compute Q ID = H 1 (ID) G. Set d ID = sq ID G. Encrypt. To encrypt M {0,1} n under the public key ID Compute Q ID = H 1 (ID) G 2. Choose r Z p Set C = rp, M H 2 (gid r ) where g ID = t(p pub, Q ID ) G T. Identity based cryptography p. 14/25

50 Basic scheme Extract. Given ID {0,1}, compute Q ID = H 1 (ID) G. Set d ID = sq ID G. Encrypt. To encrypt M {0,1} n under the public key ID Compute Q ID = H 1 (ID) G 2. Choose r Z p Set C = rp, M H 2 (gid r ) where g ID = t(p pub, Q ID ) G T. Decrypt. C = U, V C Compute V H 2 ( t(u, d ID )) = M. Identity based cryptography p. 14/25

51 Basic scheme Extract. Given ID {0,1}, compute Q ID = H 1 (ID) G. Set d ID = sq ID G. Encrypt. To encrypt M {0,1} n under the public key ID Compute Q ID = H 1 (ID) G 2. Choose r Z p Set C = rp, M H 2 (gid r ) where g ID = t(p pub, Q ID ) G T. Decrypt. C = U, V C Compute V H 2 ( t(u, d ID )) = M. t(u, d ID ) = t(rp, sq ID ) = t(p, Q ID ) sr = t(p pub, Q ID ) r = gid r Identity based cryptography p. 14/25

52 Full scheme FullIdent is obtained by applying Fujisaki-Okamoto conversion from Crypto 99 to BasicIdent Identity based cryptography p. 15/25

53 Full scheme FullIdent is obtained by applying Fujisaki-Okamoto conversion from Crypto 99 to BasicIdent FO conversion If we denote by E pk (M,r) the encryption of M using randomness r under public key pk Identity based cryptography p. 15/25

54 Full scheme FullIdent is obtained by applying Fujisaki-Okamoto conversion from Crypto 99 to BasicIdent FO conversion If we denote by E pk (M,r) the encryption of M using randomness r under public key pk where σ {0, 1} n. E hy pk (M) = E pk(σ,h 3 (σ,m)),h 4 (σ) M Identity based cryptography p. 15/25

55 Full scheme FullIdent is obtained by applying Fujisaki-Okamoto conversion from Crypto 99 to BasicIdent FO conversion If we denote by E pk (M,r) the encryption of M using randomness r under public key pk where σ {0, 1} n. E hy pk (M) = E pk(σ,h 3 (σ,m)),h 4 (σ) M This adds n bits to the resulting ciphertext Identity based cryptography p. 15/25

56 Full scheme (ii) Setup. Choose P G, s Z p and set P pub = sp G. Choose H 1 : {0,1} G, H 2 : G T {0,1} n, H 3 : {0,1} n {0,1} n Z p, H 4 : {0,1} n {0,1} n. Set M = {0,1} n and C = G {0,1} n {0,1} n. params = p, G, G T, t, P, P pub, H 1, H 2,H 3, H 4. The master-key is s Z p. Identity based cryptography p. 16/25

57 Full scheme (iii) Extract. Just as before, d ID = sh 1 (ID) G. Identity based cryptography p. 17/25

58 Full scheme (iii) Extract. Just as before, d ID = sh 1 (ID) G. Encrypt. To encrypt M {0,1} n under the public key ID Compute Q ID = H 1 (ID) G. Choose σ {0,1} n Set C = rp, σ H 2 (gid r, M H 4(σ)) where g ID = t(p pub, Q ID ) G T, and r = H 3 (σ, M). Identity based cryptography p. 17/25

59 Full scheme (iii) Extract. Just as before, d ID = sh 1 (ID) G. Encrypt. To encrypt M {0,1} n under the public key ID Compute Q ID = H 1 (ID) G. Choose σ {0,1} n Set C = rp, σ H 2 (gid r, M H 4(σ)) where g ID = t(p pub, Q ID ) G T, and r = H 3 (σ, M). Decrypt. C = U, V, W C Compute V H 2 ( t(u, d ID )) = M and W H 4 (σ) = M. Set r = H 3 (σ, M). Check that U = rp. If not reject. Identity based cryptography p. 17/25

60 Security result Theorem Let A an IND-ID-CCA adversary running in time t and with advantage ε against FullIdent making at most q E private key extraction queries, q D decryption queries and q H hash queries. Then there is an algorithm B running in time roughly t that has advantage at least problem in G. ε q 2 H q D against BDH Identity based cryptography p. 18/25

61 Security result Theorem Let A an IND-ID-CCA adversary running in time t and with advantage ε against FullIdent making at most q E private key extraction queries, q D decryption queries and q H hash queries. Then there is an algorithm B running in time roughly t that has advantage at least problem in G. ε q 2 H q D against BDH Bilinear Diffie-Hellman (BDH) Problem on G. Given P,aP,bP,cP G as input, compute W = t(p,p) abc G T. Identity based cryptography p. 18/25

62 Waters IBE scheme in the standard model Identity based cryptography p. 19/25

63 Waters scheme Setup. Choose s Z p. Choose P 2 G, and set P 1 = sp G. Identity based cryptography p. 20/25

64 Waters scheme Setup. Choose s Z p. Choose P 2 G, and set P 1 = sp G. Choose Q G and a random n-length vector U = (Q i ) with Q i G. Identity based cryptography p. 20/25

65 Waters scheme Setup. Choose s Z p. Choose P 2 G, and set P 1 = sp G. Choose Q G and a random n-length vector U = (Q i ) with Q i G. Set M = G T, C = G T G G and ID = {0,1} n. Identity based cryptography p. 20/25

66 Waters scheme Setup. Choose s Z p. Choose P 2 G, and set P 1 = sp G. Choose Q G and a random n-length vector U = (Q i ) with Q i G. Set M = G T, C = G T G G and ID = {0,1} n. params = p, G, G T, t, P, P 1, P 2, Q, U. The master-key is sp 2. Identity based cryptography p. 20/25

67 Waters scheme (ii) Extract. Let ID i denote the i-th bit of ID and V {0,..., n} the set of i st ID i = 1. Choose r Z p. ( d ID = (sp 2 Q ) r ) Q i, rp i V Identity based cryptography p. 21/25

68 Waters scheme (ii) Extract. Let ID i denote the i-th bit of ID and V {0,..., n} the set of i st ID i = 1. Choose r Z p. ( d ID = (sp 2 Q ) r ) Q i, rp i V Encrypt. To encrypt M G T under the public key ID Choose x Z p. ( ( Set C = t(p 1, P 2 ) x M, xp, Q i V Q i ) x ). Identity based cryptography p. 21/25

69 Waters scheme (iii) Decryption. Let C = (C 1, C 2, C 3 ) a valid encryption under ID. Decrypt C using d ID = (d 1, d 2 ) as C 1 t(d 2, C 3 ) t(d 1, C 2 ) Identity based cryptography p. 22/25

70 Waters scheme (iii) Decryption. Let C = (C 1, C 2, C 3 ) a valid encryption under ID. Decrypt C using d ID = (d 1, d 2 ) as C 1 t(d 2, C 3 ) t(d 1, C 2 ) Let d ID = ( sp 2 ( Q i V Q i) r, rp ) and Identity based cryptography p. 22/25

71 Waters scheme (iii) Decryption. Let C = (C 1, C 2, C 3 ) a valid encryption under ID. Decrypt C using d ID = (d 1, d 2 ) as C 1 t(d 2, C 3 ) t(d 1, C 2 ) Let d ID = ( sp 2 ( Q i V Q i) r, rp ) and C = ( t(p 1, P 2 ) x M, xp, ( Q i V Q i) x ), then Identity based cryptography p. 22/25

72 Waters scheme (iii) Decryption. Let C = (C 1, C 2, C 3 ) a valid encryption under ID. Decrypt C using d ID = (d 1, d 2 ) as C 1 t(d 2, C 3 ) t(d 1, C 2 ) Let d ID = ( sp 2 ( Q i V Q i) r, rp ) and C = ( t(p 1, P 2 ) x M, xp, ( Q i V Q i) x ), then 2, C 3 ) C 1 t(d t(d 1, C 2 ) = ( t(p t(rp, ( 1, P 2 ) x Q x) i V M) Q i) ( t(sp 2 Q i V Q ) r = i, xp) Identity based cryptography p. 22/25

73 Waters scheme (iii) Decryption. Let C = (C 1, C 2, C 3 ) a valid encryption under ID. Decrypt C using d ID = (d 1, d 2 ) as C 1 t(d 2, C 3 ) t(d 1, C 2 ) Let d ID = ( sp 2 ( Q i V Q i) r, rp ) and C = ( t(p 1, P 2 ) x M, xp, ( Q i V Q i) x ), then 2, C 3 ) C 1 t(d t(d 1, C 2 ) = ( t(p t(rp, ( 1, P 2 ) x Q x) i V M) Q i) ( t(sp 2 Q i V Q ) r = i, xp) t(p, ( ( t(p 1, P 2 ) x Q rx) i V M) Q i) t(p 1, P 2 ) x t( ( Q i V Q ) rx = M. i, P) Identity based cryptography p. 22/25

74 Security result Theorem Let A an IND-ID-CPA adversary running in time t and with advantage ε making at most q E private key extraction queries and q D decryption queries. Then there is an algorithm B running in time roughly t + O(q E nε 2 ln(ε 1 ) ln(q E n)) that has advantage at least ε 32nq E against BDDH problem in G. Identity based cryptography p. 23/25

75 Security result Theorem Let A an IND-ID-CPA adversary running in time t and with advantage ε making at most q E private key extraction queries and q D decryption queries. Then there is an algorithm B running in time roughly t + O(q E nε 2 ln(ε 1 ) ln(q E n)) that has advantage at least ε 32nq E against BDDH problem in G. Decision Bilinear Diffie-Hellman (DBDH) Problem on G. Given P,aP,bP,cP G as input, and T G T,; output yes if T = t(p,p) abc and no otherwise. Identity based cryptography p. 23/25

76 Some applications of IBE schemes IBE schemes imply secure signature schemes Access control Delegation of decryption keys Strong-key insulated encryption Identity based cryptography p. 24/25

77 Some applications of IBE schemes IBE schemes imply secure signature schemes Access control Delegation of decryption keys Strong-key insulated encryption and many more... take a look at Cryptology eprint Archive Identity based cryptography p. 24/25

78 Some applications of IBE schemes IBE schemes imply secure signature schemes Access control Delegation of decryption keys Strong-key insulated encryption and many more... take a look at Cryptology eprint Archive It is fair to say that identity/pairing based cryptography is currently the most active research area in cryptology Identity based cryptography p. 24/25

79 Drawbacks & Open Problems d ID must be sent over a secure channel The system is inherently escrowed Certificate Based encryption (Gentry) Certificate-Less PKC (Al-Riyami&Paterson) (Mostly) Suitable for small environments Security reductions are inefficient Few schemes proven secure without the ROM Identity based cryptography p. 25/25

80 Drawbacks & Open Problems d ID must be sent over a secure channel The system is inherently escrowed Certificate Based encryption (Gentry) Certificate-Less PKC (Al-Riyami&Paterson) (Mostly) Suitable for small environments Security reductions are inefficient Few schemes proven secure without the ROM The slides of this talk are available at dgalindo Identity based cryptography p. 25/25

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

More information

Lecture 17: Re-encryption

Lecture 17: Re-encryption 600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

More information

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi

More information

CS3235 - Computer Security Third topic: Crypto Support Sys

CS3235 - Computer Security Third topic: Crypto Support Sys Systems used with cryptography CS3235 - Computer Security Third topic: Crypto Support Systems National University of Singapore School of Computing (Some slides drawn from Lawrie Brown s, with permission)

More information

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)

Public Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent

More information

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud

Enforcing Role-Based Access Control for Secure Data Storage in the Cloud The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication

More information

Lecture 2 August 29, 13:40 15:40

Lecture 2 August 29, 13:40 15:40 Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous

More information

Identity Based Undeniable Signatures

Identity Based Undeniable Signatures Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.

More information

Bootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation

Bootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation Bootstrapping Security in Mobile Ad Hoc Networks Using Identity-Based Schemes with Key Revocation Katrin Hoeper and Guang Gong khoeper@engmail.uwaterloo.ca, ggong@calliope.uwaterloo.ca Department of Electrical

More information

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

More information

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2

More information

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890 Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890 Why are Elliptic Curves used in Cryptography? The answer to this question is the following: 1) Elliptic Curves provide security equivalent

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

More information

Provably Secure Timed-Release Public Key Encryption

Provably Secure Timed-Release Public Key Encryption Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release

More information

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Girish Department of PGS-CEA The National Institute of Engineering, Manadavady Road,Mysore-570008, INDIA Phaneendra

More information

Metered Signatures - How to restrict the Signing Capability -

Metered Signatures - How to restrict the Signing Capability - JOURNAL OF COMMUNICATIONS AND NETWORKS, VOL.?, NO.?, 1 Metered Signatures - How to restrict the Signing Capability - Woo-Hwan Kim, HyoJin Yoon, and Jung Hee Cheon Abstract: We propose a new notion of metered

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1 PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

More information

Secure Conjunctive Keyword Search Over Encrypted Data

Secure Conjunctive Keyword Search Over Encrypted Data Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle 1 and Jessica Staddon 1 and Brent Waters 2 1 Palo Alto Research Center 3333 Coyote Hill Road Palo Alto, CA 94304, USA E-mail: {pgolle,staddon}@parc.com

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

More information

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems

A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems The 28th International Conference on Distributed Computing Systems Workshops A Certificateless Signature Scheme for Mobile Wireless Cyber-Physical Systems Zhong Xu Xue Liu School of Computer Science McGill

More information

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket IT 4823 Information Security Administration Public Key Encryption Revisited April 5 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles

More information

Efficient File Sharing in Electronic Health Records

Efficient File Sharing in Electronic Health Records Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution

More information

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh Safavi-Naini 1 and Chih-Yin Lin 2 1 School of Information Technology and Computer

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

Identity-Based Key Agreement and Encryption For Wireless Sensor Networks

Identity-Based Key Agreement and Encryption For Wireless Sensor Networks 182 IJCSNS International Journal of Computer Science and Network Security, VOL.6 No.5B, May 2006 Identity-Based Key Agreement and Encryption For Wireless Sensor Networks Geng Yang 1, Chunming Rong 2, Christian

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

SFWR ENG 4C03 - Computer Networks & Computer Security

SFWR ENG 4C03 - Computer Networks & Computer Security KEY MANAGEMENT SFWR ENG 4C03 - Computer Networks & Computer Security Researcher: Jayesh Patel Student No. 9909040 Revised: April 4, 2005 Introduction Key management deals with the secure generation, distribution,

More information

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

Simple Certificateless Signature with Smart Cards

Simple Certificateless Signature with Smart Cards JAIST Reposi https://dspace.j Title Simple Certificateless Signature wit Author(s)Omote, Kazumasa; Miyaji, Atsuko; Kat Citation IEEE/IFIP International Conference o and Ubiquitous Computing, 2008. EUC

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 3: real world applications Jean-Sébastien Coron January 2007 Public-key encryption BOB ALICE Insecure M E C C D channel M Alice s public-key Alice s private-key Authentication

More information

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

More information

Security Analysis of DRBG Using HMAC in NIST SP 800-90

Security Analysis of DRBG Using HMAC in NIST SP 800-90 Security Analysis of DRBG Using MAC in NIST SP 800-90 Shoichi irose Graduate School of Engineering, University of Fukui hrs shch@u-fukui.ac.jp Abstract. MAC DRBG is a deterministic random bit generator

More information

Lightweight Encryption for Email

Lightweight Encryption for Email Lightweight Encryption for Email Ben Adida ben@mit.edu 7 July 2005 joint work with Susan Hohenberger and Ronald L. Rivest MIT Cryptography and Information Security Group Motivation To Improve/Restore the

More information

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

More information

Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti. Digital signatures- DSA Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

More information

Identity Based Cryptography for Smart-grid Protection

Identity Based Cryptography for Smart-grid Protection Identity Based Cryptography for Smart-grid Protection MICKAEL AVRIL mavril@assystem.com ABDERRAHMAN DAIF adaif@assystem.com LAURIE BASTA lbasta@assystem.com GREGORY LANDAIS glandais@assystem.com LAURENT

More information

Anonymous ID-based Group Key Agreement for Wireless Networks

Anonymous ID-based Group Key Agreement for Wireless Networks Anonymous ID-based Group Key Agreement for Wireless Networks Zhiguo Wan,KuiRen, Wenjing Lou and Bart Preneel K.U.Leuven, ESAT/SCD, Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee, Belgium Email: {zhiguo.wan,bart.preneel}@esat.kuleuven.be

More information

Public Key Encryption with Keyword Search Revisited

Public Key Encryption with Keyword Search Revisited Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key

More information

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1

EXAM questions for the course TTM4135 - Information Security May 2013. Part 1 EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

More information

On the Difficulty of Software Key Escrow

On the Difficulty of Software Key Escrow On the Difficulty of Software Key Escrow Lars R. Knudsen and Torben P. Pedersen Katholieke Universiteit Leuven, Belgium, email: knudsen@esat.kuleuven.ac.be Cryptomathic, Denmark, email: tpp@cryptomathic.aau.dk

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1 KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data

More information

Modular Security Proofs for Key Agreement Protocols

Modular Security Proofs for Key Agreement Protocols Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.

More information

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

More information

Lecture 6 - Cryptography

Lecture 6 - Cryptography Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

More information

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

More information

3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback 3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

More information

MACs Message authentication and integrity. Table of contents

MACs Message authentication and integrity. Table of contents MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

More information

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

More information

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Introduction to Cryptography What is cryptography?

More information

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment

Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Time-Based Proxy Re-encryption Scheme for Secure Data Sharing in a Cloud Environment Qin Liu a,b, Guojun Wang a,, Jie Wu b a School of Information Science and Engineering Central South Uversity Changsha,

More information

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

More information

A Factoring and Discrete Logarithm based Cryptosystem

A Factoring and Discrete Logarithm based Cryptosystem Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

More information

DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM

DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM DEVELOPMENT OF CERTIFICATE LESS DIGITAL SIGNATURE SCHEME & ITS APPLICATION IN E-CASH SYSTEM A Thesis is submitted in partial fulfilment of the requirements for the degree of Bachelor of Technology In Computer

More information

Proxy Cryptography Revisited

Proxy Cryptography Revisited Proxy Cryptography Revisited Anca Ivan, Yevgeniy Dodis Department of Computer Science Courant Institute of Mathematical Sciences New York University, New York, NY 10012 {ivan,dodis}@cs.nyu.edu Abstract

More information

Efficient ID-based authentication and key agreement protocols for the session initiation protocol

Efficient ID-based authentication and key agreement protocols for the session initiation protocol Turkish Journal of Electrical Engineering & Computer Sciences http:// journals. tubitak. gov. tr/ elektrik/ Research Article Turk J Elec Eng & Comp Sci (2015) 23: 560 579 c TÜBİTAK doi:10.3906/elk-1207-102

More information

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI

More information

Wildcarded Identity-Based Encryption

Wildcarded Identity-Based Encryption Wildcarded Identity-Based Encryption Michel Abdalla 1, James Birkett 2, Dario Catalano 3, Alexander W. Dent 4, John Malone-Lee 5, Gregory Neven 6,7, Jacob C. N. Schuldt 8, and Nigel P. Smart 9 1 Ecole

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

Modeling and verification of security protocols

Modeling and verification of security protocols Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available

More information

Cloud Data Storage Security Techniques and Security Issues on Mobile device

Cloud Data Storage Security Techniques and Security Issues on Mobile device Cloud Data Storage Security Techniques and Security Issues on Mobile device Seema Banduji Bhalekar 1 V. M. Thakare 2, Ph. D U.S. Junghare 3 Dept of Computer Science, SGB Amravati Brijlal Biyani Science

More information

Improvement of digital signature with message recovery using self-certified public keys and its variants

Improvement of digital signature with message recovery using self-certified public keys and its variants Applied Mathematics and Computation 159 (2004) 391 399 www.elsevier.com/locate/amc Improvement of digital signature with message recovery using self-certified public keys and its variants Zuhua Shao Department

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

The Journal of Systems and Software

The Journal of Systems and Software The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DL-based certificateless

More information

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631 Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

A Method for Making Password-Based Key Exchange Resilient to Server Compromise A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu

More information

Keyword Search over Shared Cloud Data without Secure Channel or Authority

Keyword Search over Shared Cloud Data without Secure Channel or Authority Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department

More information

Certificateless Key Insulated Encryption: Cryptographic Primitive for Achieving Key-escrow free and Key-exposure Resilience

Certificateless Key Insulated Encryption: Cryptographic Primitive for Achieving Key-escrow free and Key-exposure Resilience Certificateless Key Insulated Encryption: Cryptographic Primitive for Achieving Key-escrow free and Key-exposure Resilience Libo He, Chen Yuan, Hu Xiong, and Zhiguang Qin School of Information and Software

More information

IT Networks & Security CERT Luncheon Series: Cryptography

IT Networks & Security CERT Luncheon Series: Cryptography IT Networks & Security CERT Luncheon Series: Cryptography Presented by Addam Schroll, IT Security & Privacy Analyst 1 Outline History Terms & Definitions Symmetric and Asymmetric Algorithms Hashing PKI

More information

Secure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks

Secure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks JOURNAL PAPER, ACCEPTED 1 Secure and Efficient Data Transmission for Cluster-based Wireless Sensor Networks Huang Lu, Student Member, IEEE, Jie Li, Senior Member, IEEE, Mohsen Guizani, Fellow, IEEE Abstract

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Network Security. Chapter 6 Random Number Generation

Network Security. Chapter 6 Random Number Generation Network Security Chapter 6 Random Number Generation 1 Tasks of Key Management (1)! Generation:! It is crucial to security, that keys are generated with a truly random or at least a pseudo-random generation

More information

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1 Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

Definitions for Predicate Encryption

Definitions for Predicate Encryption Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy giuper@dia.unisa.it Thursday 12 th April, 2012 Cryptographic Proofs 1 Content Results on

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

VoteID 2011 Internet Voting System with Cast as Intended Verification

VoteID 2011 Internet Voting System with Cast as Intended Verification VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could

More information

Lukasz Pater CMMS Administrator and Developer

Lukasz Pater CMMS Administrator and Developer Lukasz Pater CMMS Administrator and Developer EDMS 1373428 Agenda Introduction Why do we need asymmetric ciphers? One-way functions RSA Cipher Message Integrity Examples Secure Socket Layer Single Sign

More information

Lightweight Encryption for Email

Lightweight Encryption for Email Lightweight Encryption for Email Ben Adida MIT ben@mit.edu Susan Hohenberger MIT srhohen@mit.edu Ronald L. Rivest MIT rivest@mit.edu Abstract Email encryption techniques have been available for more than

More information

CS 392/681 - Computer Security

CS 392/681 - Computer Security CS 392/681 - Computer Security Module 3 Key Exchange Algorithms Nasir Memon Polytechnic University Course Issues HW 3 assigned. Any lab or course issues? Midterm in three weeks. 8/30/04 Module 3 - Key

More information

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.

More information