Threshold Identity Based Encryption Scheme without Random Oracles

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Threshold Identity Based Encryption Scheme without Random Oracles"

Transcription

1 WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College Sun Yat-sen University Guangzhou, P.R. China Abstract The first threshold identity-based encryption scheme secure against chosen identity and ciphertext attacks is proposed in this paper. Our construction is based on the recently proposed identity-based encryption scheme of Waters in EUROCRYPT The new threshold identity-based encryption scheme is non-interactive and does not rely on the random oracle model. Key words: Threshold encryption, Identity-Based, Bilinear pairings, Provable security 1 Introduction Identity-based cryptosystem [16] is a public key cryptosystem where the public key can be an arbitrary string such as an address. A private key generator (PKG) uses a master secret key to issue private keys to identities that request them. For an Identity-Based Encryption (IBE) scheme, Alice can securely encrypt a message to Bob using Bob s identity, such as address, as the public key. Many identity-based signature schemes have been proposed such as [1,11] since shamir proposed the Identity-based cryptosystem. However, until 2001, Boneh and Franklin [7] proposed the first practical 1 This work is supported by the National Natural Science Foundation of China NO The first author is supported by KaiSi Grant 2 This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:

2 identity-based encryption scheme, which is provably secure in the random oracle model. Subsequently, Waters proposed the first provably secure IBE [18] without relying on the random oracle model in EUROCRYPT In a (k, n)-threshold encryption system, an entity, called the combiner, has a ciphertext C that it wishes to decrypt. The combiner sends C to the decryption servers, and receives partial decryption shares from at least k out of the n decryption servers. It then combines these k partial decryptions into a complete decryption of C. Ideally, there is no other interaction in the system, namely the servers need not talk to each other during decryption. Such threshold systems are called non-interactive. Meanwhile, often one requires that threshold decryption be robust [13, 17], namely if threshold decryption of a valid ciphertext fails, the combiner can identify the decryption servers that supplied invalid partial decryptions. In order to prevent a single PKG from full possession of the master key in identity-based encryption, Boneh and Franklin [7] suggested that the PKG s master key should be shared among a number of PKGs using the techniques of threshold cryptography, which they call distributed PKG. A (k, n)-threshold identity-based encryption (T IBE) [6] is an identity-based system where the master secret key is distributed among n PKGs so that at least k PKGs are needed for key generation. Many reductionist security proofs used the random oracle model [2]. Several papers proved that some popular cryptosystems previously proved secure in the random oracle are actually provably insecure when the random oracle is instantiated by any real-world hashing functions [3]. Therefore, provably secure T IBE scheme in the standard model attracts a great interest. The first T IBE without random oracles was proposed by Boneh et al. [6], however, it is only semantically and selective-id secure. In this paper, we propose a new T IBE scheme based on the recently proposed identity-based encryption scheme [18] by Waters. The new T IBE scheme is the first T IBE scheme that can be proved to be adaptively chosen identity and chosen ciphertext secure without relying on the random oracle model. Organization. The next section briefly gives the definition of T IBE and explains the bilinear pairing and some problems related to pairings. Section 3 shows a concrete construction of T IBE. Its security analysis is also given in this section. The paper ends with some concluding remarks. 2 Preliminaries 2.1 Security Definitions and Notions We shows the definition as follows: Definition 2.1 A (k, n)-t IBE scheme consists of algorithms (Setup, ShareKeyGen, 2

3 ShareVerify, Combine, Encrypt, ValidateCT, Decrypt). specified as follows: Li These algorithms are 1. Setup is parameter generation algorithm. Takes as input the number of decryption servers n, a threshold k where 1 k n, and a security parameter 1 λ. It outputs a triple (P K, V K, SK), where P K is called the system parameters, V K is called a verification key, and SK = (SK 1,, SK n ) is a vector of master key shares. Decryption server i is given the master key share (i, SK i ); 2. ShareKeyGen: Takes as input the system parameters P K, an identity ID, and a master key share (i, SK i ). It outputs a private key share θ i for ID. 3. ShareVerify: Takes as input the system parameters P K, the verification key V K, an identity ID, and a private key share θ i. It outputs 1 if it is valid or 1 if it is invalid. 4. Combine: Takes as input P K, V K, an identity ID and k private key shares θ 1,, θ k, it outputs d ID or. 5. Encrypt: Takes P K, an identity ID, and a message M, and outputs a ciphertext C. 6. ValidateCT: Takes as input PK, an identity ID, and a ciphertext C. It outputs 1 if it is valid or 0 if it is invalid. 7. Decrypt: Takes as input P K, ID, a private key d ID, and a ciphertext C. It outputs a message M or. Security of a T IBE is defined using two properties: security against chosen identity attacks and consistency of key generation. There are two ways to define chosen identity attacks against IBE schemes, depending on whether the adversary chooses the target identity adaptively (an adaptive-id attack [7]) or selects it in advance (a selective-id attack [5]). It only proposed a scheme secure against selective-id attack in [6]. We now define a security notion for the T IBE scheme against chosen identity and chosen-ciphertext attacks. Its formal definition is based on the following game between a challenger and a static adversary A. Both are given n, k, and a security parameter λ as input. Initialization: The adversary outputs a set S {1,, n} of k 1 decryption servers to corrupt. Setup: The challenger runs Setup to obtain a random instance (P K, V K, SK) where SK = (SK 1,, SK n ). It gives the adversary P K, V K, and all (j, SK j ) for j S. Phase 1: The adversary adaptively issues chosen identity queries (ID, i). The challenger responds with ShareKeyGen(P K, i, SK i, ID). Meanwhile, it can also issue chosen ciphertext queries (ID, C), the challenger responds with Decrypt(C, SK i, ID). 3

4 Challenge: A outputs an identity ID, and two equal length plaintexts m 0,m 1 for challenge ciphertext. The challenger chooses a random b {0, 1} and sends the challenge ciphertext C =Enc(ID, m b ) to A. Phase 2: A continues to query as in phase 1. Guess: Finally, A outputs a guess bit b. We say that A wins the game if b =b. The advantage Adv cca A (1 k ) of A is defined as the probability that it wins the game over 1 2. Definition 2.2 An T IBE scheme is secure if Adv cca A (1 λ ) is negligible for any probabilistic polynomial time (PPT) adversary A. 2.2 One-Time Signature Before we give the definition of one-time signature (OTS), we first show the definition of generic signature scheme. A signature scheme is made up of three algorithms, Gen, Sign, and Verify, for generating keys, signing, and verifying signatures, respectively. The standard notion of security for a signature scheme is called existential unforgeability under a chosen message attack [17], which is defined through the following game between a challenger C and an adversary A: 1. C runs Gen(1 λ ) and obtains a public key pk and secret key sk. The public key pk is sent to A. 2. A requests signatures on at most q S messages m i adaptively for i = 1,, q S, C returns the corresponding signature σ i which is obtained by running algorithm Sign. 3. Finally, A outputs (m, σ ), where m is a message, and σ is a signature, such that m are not equal to the inputs of any query to Sign. A wins the game if σ is a valid signature of m. A signature is called secure if A can t output such valid forged signature after the above game. The security definition of OTS is the same as signatures, except that the attacker is restricted to query the signing oracle for only one time, i.e., q S = Pairings and Problems Our scheme uses bilinear pairings on elliptic curves. We now give a brief revision on the property of pairings and some candidate hard problems from pairings that will be used later. Let G, G T be cyclic groups of prime order p, writing the group action multiplicatively. Let g be a generator of G. Definition 2.3 A map ê : G G G T is called a bilinear pairing if, for all x, y G and a, b Z p, we have ê(x a, y b ) = ê(x, y) ab, and ê(g, g) 1. Definition 2.4 (Decision Bilinear Diffie-Hellman Problem) The Decision BDH 4

5 problem is that, given g,g x, g y, g z (G) 4 for unknown x, y, z Z p, T G T, to decide if T = ê(g, g) xyz. We say that the Decision (t, ɛ)-bdh assumption holds in G if no t-time algorithm has the probability at least 1 + ɛ in solving the Decision BDH 2 problem for non-negligible ɛ. 3 The Threshold Identity-Based Encryption Scheme 3.1 Brief Review of Waters Identity-Based Encryption Let G be a bilinear group of prime order p. Given a pairing: ê : G G G T. Identities will be represented as bitstrings of length n. We can also let identities be arbitrary length and n be the output of a collision resistant hash function. Setup. To generate system parameters, the algorithm selects a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, two random value g 2, u G and a random n-length vector U = (u i ), whose elements are chosen at random from G. The system parameters param = (g, g 1, g 2, u, U) and the master key is g α 2. Extract. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. To generate a private key for ID, the algorithm picks a random r Z p and returns S ID = (d 1, d 2 ), where d 1 = g2 α (u n i )r, d 2 = g r. Enc. To generate the ciphertertext on a plaintext M G T with respect to ID, pick s R Zp, output ciphertext C = (C 1, C 2, C 3 ), where C 1 = ê(g 1, g 2 ) s M, C 2 = g s, C 3 = (u n i )s. Dec. On input ciphertext C = (C 1, C 2, C 3 ), private key S ID ID, output the plaintex M = C 1 ê(d 2,C 3 ). ê(d 1,C 2 ) = (d 1, d 2 ) for 3.2 The Threshold Identity-Based Encryption Scheme without Random Oracles 1. Setup. To generate system parameters, select a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, three random values g 2, h, u G and a random n-length vector U = (u i ), whose elements are chosen at random from G. Furthermore, it chooses a k 1 degree function f(x) Z p (x) such that α = f(0) and computes n master key share (i, sk i ) for 1 i n, which is defined as sk i = g f(i) 2. The public verification key VK consists of the n-tuple (g f(1),, g f(n) ). Additionally, a hash function H : {0, 1} Z p is defined. The system parameters param = (g, g 1, g 2, h, u, U, VK, H) and the master key share of server i is sk i 5

6 for 1 i n. 2. ShareKeyGen. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. Pick a random r i Z p and return d i = (sk i (u n i )r i, g r i ) for 1 i n. 3. ShareVerify. To verify if d i = (d i,1, d i,2 ) is a valid private key share for identity ID=(I 1,, I n ), let V K = (vk 1,, vk n ) where vk i = g f(i). Output 1 or 0 according to the truth of the following condition: ê(d i,1, g) =? ê(vk i, g 2 ) ê(d i,2, u n j=1 ui j j ). 4. Combine. Without loss of generality we assume that decryption servers i = 1,, k were used to generate d 1,, d k. To derive the private key for ID, let λ 1,, λ k Z p be the Lagrange coefficients so that α = f(0) = k i=0 λ if(i). Output the private key d ID =( k i=1 dλ i i,1, k i=1 dλ i i,2 )=(gα 2 (u n i )r, g r ) for some r Z p, which is the same with private key in Waters extraction algorithm. 5. Encrypt. To generate the ciphtertext on a plaintext M G T with respect to ID=(I 1,, I n ) {0, 1} n, it generates a one-time signature key pair (vk, sk) Gen(1 λ ). Then, it picks s R Z p and outputs the ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), where c 1 = ê(g 1, g 2 ) s M, c 2 = g s, c 3 = (u n i )s, c 4 c 5 = Sign sk (c 1, c 2, c 3, c 4 ), c 6 = vk. = (g H(vk) 1 h) s, 6. ValidateCT. To validate a ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), it checks if Verify c6 (c 5 ) = 1. If it holds, then checks if ê(c 1, u n i=1 u i) = ê(g, c 3 ) and ê(c 1, g H(c 6) 1 h) = ê(g, c 4 ). Output 1 if it holds. Otherwise, output Decrypt. Given ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ) and private key d ID =(d 1,d 2 ), it first check that ValidateCT(P K, ID, C) = 1. If check fails, output and exit. Otherwise, picks a random value r Z p and outputs a plaintext M=c 1 ê (d 2, c 3 ) ê(g r, c 4 )/ ê (d 1 (g H(c 6) 1 h) r, c 2 ). 6

7 3.3 Security Result Theorem 3.1 The T IBE system above is secure against chosen identity and chosen ciphertext attacks if the Decision BDH assumption holds and one-time signature is secure. Proof. Our algorithm C described below solves Decision BDH problem for a randomly given instance {g, X = g x, Y = g y, Z = g z, T } and asked to decide if T = e(g, g) xyz. Setup: Simulator C defines g 1 = X and g 2 = Y. Meanwhile, it runs Gen to get one-time key pair (vk, sk ). It also defines a hash function H : {0, 1} Z p and assigns h = g H(vk ) 1 g ω. It sets an integer, m = 4q E, and chooses an integer, k, uniformly at random between 0 and n. It then chooses a random n-length vector, a = (a i ), where the elements of a are chosen uniformly at random between 0 and m 1. Additionally, the simulator chooses a random b Z p and an n-length vector, b = (b i ), where the elements of b are chosen at random in Z p. These values are all kept internal to the simulator. It then assigns u = g p k m+a 1 g b and the parameter U as u i = g a i 1 g b i for 1 i n. The system parameters (g, g 1, g 2, u, U) are sent to A. To make the notation easier to follow, the following two pairs of functions are defined for an identity ID = {I 1,, I n } {0, 1} n. We define F (ID) = (p mk) + a + n i=1 ai i i. Next, we define J(ID) = b + n i=1 bi i i. Finally, we define a binary function 0, if a + n i=1 K(ID) as K(ID) = ai i i 0 (mod m); 1, otherwise. Assume w.l.o.g. that the adversary corrupted the first k 1 players S = {P 1,..., P k 1 }. Then, C generates the secret key shares for the k 1 corrupted players. To do so, C first picks k 1 random integers x 1,..., x k 1 Z p. Let f Z p [X] be the degree k 1 polynomial implicitly defined to satisfy f(0) = x and f(i) = x i for i = 1,..., k 1. (note that C does not know f since it does not know x). C gives A the k 1 secret key shares sk i = g x i 2. These keys are consistent with this polynomial f since sk i = g f(i) 2 for i = 1,..., k 1. Finally, C constructs the verification key VK, which is a n-vector (vk 1,..., vk n ) such that vk i = g f(i) for the polynomial f defined above, as follows: For i S, computing vk i is easy since f(i) is equal to one of the x 1,..., x k 1, which are known to C. Thus, vk 1,..., vk k 1 are easy to compute. For i S, C needs to compute the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j); these Lagrange coefficients can be easily calculated since they do not depend on f. Algorithm C then sets vk i = g λ 0,i 1 vk λ 1,i 1... vk λ k 1,i, which entails that vk i = g f(i) as required. k 1 Once it has computed all the vk i s, C gives to A the verification key VK = (vk 1,..., vk n ). 7

8 Extraction Queries: Assume the adversary asks for at most q E extraction queries. C first computes the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j). Given and identity ID for private key, C will abort if K(ID) = 0. Otherwise, he randomly picks r i Z p and outputs the simulated secret share as: d i = (g λ J(ID) 0,i F (ID) 2 (u n k 1 j=1 λ j,if(j) λ 0,i F (ID) i )r i g2, g2 g r i ). Let ri = r i λ 0,iy (which is not known to C), then F (ID) the correctness of the signature can be verified as follows: g λ J(ID) 0,i F (ID) 2 (u k 1 n i )r i g j=1 λ j,if(j) 2 = g λ 0,ix 2 g λ 0,iy k 1 j=1 λ j,if(j) J(ID) F (ID) 1 g2 g λ 0,i 2 (u n = g f(i) 2 (u n j=1 ui j j )r i. λ 0,i i )r i F (ID) Additionally, we have g2 g r i = g r i. So, it is a valid signature share from the view of A. Decryption Queries: A issues up to q S decryption queries to the uncorrupt servers. Let C = (c 1, c 2, c 3, c 4, c 5, c 6 ) be the ciphertext for decryption query for identity ID = (I 1,, I n ). C first checks if the ciphertext is valid. If it is not, output a distinguished symbol. Otherwise, pick random ω, r Zp and output the plaintext M=c 1 ê (g r, c 3 ) ê(g ω g H(vk ) H(vk) 2, c 4 )/ ê (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2, c 2 ). The correctness of the decryption can be verified as follows: Let r = ω (which is not known to C), then y H(vk) H(vk ) (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2 =g2(u x n i=1 (u i) I i ) r (g H(vk) 1 h) r. Furthermore, g ω g H(vk ) H(vk) 2 = g r. Finally, the adversary submits two messages m 0, m 1, and identity ID for challenge ciphertext. If a + n i=1 ai i i km, the challenger will abort and submit a random guess. Otherwise, we have F (ID) 0 (mod p) and the simulator will flip a fair coin, γ, and construct the ciphertext as C = (c 1, c 2, c 3, c 4, c 5, c 6) = (T m γ, Z, Z J(ID ), Z ω, Sign sk (c 1, c 2, c 3, c 4 ), vk ). It is easy to verify it is a valid simulated ciphertext. The simulator repeats the same method as above if the adversary submits extraction queries and decryption queries. Meanwhile, for the one-time signature scheme is secure, the adversary cannot submit a valid ciphertext such that c 6 = vk, otherwise, the one-time signature scheme is insecure. The simulator can simulate the decryption as above. Finally, the adversary A outputs a guess γ of γ. If γ = γ, then C decides that T = ê(g, g) xyz. Otherwise, T ê(g, g) xyz. It is easy to verify that if the advantage of A is ɛ, then C can also have an advantage ɛ to the Decision BDH problem. It remains to analyze the probability of C not aborting. For the simulation to complete without aborting, we require that all extraction queries on an 8

9 identity ID have K(ID) 0 mod m, that challenge query on an identity ID has F(ID ) 0 mod p. In fact, the probability analysis is very similar to [18]. 1 As the analysis in [18], the lower bound of not aborting is 8(n+1)q E. Meanwhile, by combining the abort and non-abort cases, we can get the probability ɛ of solving Decision BDH problem as 32(n+1)q E if the adversary success with probability ɛ. 4 Conclusion We propose the first T IBE scheme secure against chosen identity and chosen ciphertext attacks. Our construction is based on the recently proposed identity-based encryption scheme of Waters in EUROCRYPT Furthermore, the scheme is non-interactive and does not rely on random oracles. References [1] M. Bellare, C.Namprempre, and G.Neven. Security Proofs for Identity-based Identification and Signature Schemes. EuroCrypt 04, LNCS 3027, pp Springer, [2] M.Bellare, P.Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, ACM, [3] M. Bellare, A. Boldyreva, and A. Palacio. An Uninstantiable Random-Oracle- Model Scheme for a Hybrid-Encryption Problem. EUROCRYPT 2004, LNCS 3027, pages Springer, [4] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. EUROCRYPT 04, Proceedings, volume 3027 of Lecture Notes in Computer Science, pages 56-73, Springer, [5] D. Boneh and X. Boyen. Efficient selective-id identity based encryption without random oracles. EUROCRYPT 04, LNCS 3027, pages Springer-Verlag, [6] D. Boneh, X. Boyen and S. Halevi. Chosen ciphertext secure public key threshold encryption without random oracles. CT-RSA 05. LNCS 3860, pp , springer, [7] D. Boneh and M. Franklin, Identity-based encryption from the Weil pairing, Crypto 01, LNCS 2139, pp , Springer-Verlag, [8] D. Boneh and J. Katz. Improved Efficiency for CCA-Secure Cryptosystems Built Using Identity-Based Encryption. Topics in Cryptology-CT-RSA 2005, LNCS 3376, pages , springer,

10 [9] X. Boyen, Q. Mei, and B.Waters. Direct Chosen ciphertext security from identity-based techniques. CCS 05. ACM press, Full version at [10] Canetti, S. Halevi, and J. Katz. Chosen-ciphertext security from identity-based encryption. EUROCRYPT 04, LNCS 3027, pages , Springer-Verlag, [11] J.C. Cha and J.H. Cheon, An identity-based signature from gap Diffie-Hellman groups, PKC 03, LNCS 2567, pp , Springer-Verlag, [12] R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. Crypto 98, LNCS 1462, Springer- Verlag, pp , [13] P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure Chosen- Ciphertext Attacks, Proceedings of ASIACRYPT 2001, LNCS 2248, pages , Springer-Verlag, [14] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, Secure Distributed Key Generation for Discrete-Log Based Cryptosystem, Proceedings of EUROCRYPT 99, LNCS 1592, pages , Springer-Verlag, [15] Y. Mu, V. Varadharajan, and K. Nguyen, Delegated decryption, IMA-Crypto Coding 99, LNCS 1746, pp , Springer-Verlag, [16] A.Shamir, Identity-based cryptosystems and signature schemes, Crypto 84, LNCS 196, pp.47-53, Springer-Verlag, [17] V. Shoup and R. Gennaro, Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Journal of Cryptology, Vol. 15, pages 75-96, Springer-Verlag, [18] B.Waters, Efficient Identity based Encryption without random oracles. EUROCRYPT 2005, LNCS 3494, pp , Springer-Verlag,

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

More information

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model

Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University

More information

encryption Presented by NTU Singapore

encryption Presented by NTU Singapore A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before

More information

New Efficient Searchable Encryption Schemes from Bilinear Pairings

New Efficient Searchable Encryption Schemes from Bilinear Pairings International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang

More information

Hybrid Signcryption Schemes with Insider Security (Extended Abstract)

Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/

More information

Certificate Based Signature Schemes without Pairings or Random Oracles

Certificate Based Signature Schemes without Pairings or Random Oracles Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying

More information

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *

Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55-568 (04) Efficient Certificate-Based Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information

More information

Ciphertext-Auditable Identity-based Encryption

Ciphertext-Auditable Identity-based Encryption International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 Ciphertext-Auditable Identity-based Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and Chin-Chen Chang 4,5 (Corresponding

More information

A New and Efficient Signature on Commitment Values

A New and Efficient Signature on Commitment Values International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding

More information

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009

IEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009 Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity

More information

Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

More information

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of

More information

Identity Based Undeniable Signatures

Identity Based Undeniable Signatures Identity Based Undeniable Signatures Benoît Libert Jean-Jacques Quisquater UCL Crypto Group Place du Levant, 3. B-1348 Louvain-La-Neuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Chosen-Ciphertext Security from Identity-Based Encryption

Chosen-Ciphertext Security from Identity-Based Encryption Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes

More information

Fuzzy Identity Based Encryption Preliminary Version

Fuzzy Identity Based Encryption Preliminary Version Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A

More information

Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions

Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI

More information

Lecture 25: Pairing-Based Cryptography

Lecture 25: Pairing-Based Cryptography 6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: Pairing-Based Cryptography Scribe: Ben Adida 1 Introduction The field of Pairing-Based Cryptography

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

Multi-authority attribute-based encryption with honest-but-curious central authority

Multi-authority attribute-based encryption with honest-but-curious central authority International Journal of Computer Mathematics Vol. 89, No. 3, February 2012, 268 283 Multi-authority attribute-based encryption with honest-but-curious central authority Vladimir Božović a, Daniel Socek

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

A Method for Making Password-Based Key Exchange Resilient to Server Compromise

A Method for Making Password-Based Key Exchange Resilient to Server Compromise A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu

More information

Public-Key Encryption (Asymmetric Encryption)

Public-Key Encryption (Asymmetric Encryption) Public-Key Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (Private-Key Crypto) Alice establish secure

More information

Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

More information

Efficient Unlinkable Secret Handshakes for Anonymous Communications

Efficient Unlinkable Secret Handshakes for Anonymous Communications 보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications Eun-Kyung Ryu 1), Kee-Young Yoo 2), Keum-Sook Ha 3) Abstract The technique

More information

Introduction to Cryptography

Introduction to Cryptography Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

More information

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction

CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction International Journal of Network Security, Vol.16, No.3, PP.174-181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi

More information

Provably Secure Cryptography: State of the Art and Industrial Applications

Provably Secure Cryptography: State of the Art and Industrial Applications Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services French-Japanese Joint Symposium on Computer Security Outline

More information

Secure Identity Based Encryption Without Random Oracles

Secure Identity Based Encryption Without Random Oracles An extended abstract of this paper is to appear in Advances in Cryptology CRYPTO 2004, Springer-Verlag. Secure Identity Based Encryption Without Random Oracles Dan Boneh dabo@cs.stanford.edu Xavier Boyen

More information

A Performance Analysis of Identity-Based Encryption Schemes

A Performance Analysis of Identity-Based Encryption Schemes A Performance Analysis of Identity-Based Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented

More information

Title Goes Here An Introduction to Modern Cryptography. Mike Reiter

Title Goes Here An Introduction to Modern Cryptography. Mike Reiter Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private

More information

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures. Prof. Zeph Grunschlag Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

More information

Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions

Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Universally Composable Identity-Based Encryption

Universally Composable Identity-Based Encryption All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to

More information

Acknowledgements. Notations and abbreviations

Acknowledgements. Notations and abbreviations Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity- Based Encryption schemes as an error-tolerant version of Identity-Based Encryption schemes, along with

More information

Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

More information

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

More information

Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

More information

COM S 687 Introduction to Cryptography October 19, 2006

COM S 687 Introduction to Cryptography October 19, 2006 COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: Non-Malleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 Non-Malleability Until this point we have discussed

More information

Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks

Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks Yongge Wang Department of Software and Information Systems UNC Charlotte, Charlotte, NC 28223, USA yonwang@uncc.edu

More information

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar

Identity-Based Encryption: A 30-Minute Tour. Palash Sarkar Identity-Based Encryption: A 30-Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,

More information

Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues

Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues International Journal of Network Security, Vol.18, No.1, PP.90-98, Jan. 2016 90 Secure and Efficient Identity-based Proxy Multi-signature Using Cubic Residues Feng Wang 1,2, Chin-Chen Chang 2,3, Changlu

More information

Modular Security Proofs for Key Agreement Protocols

Modular Security Proofs for Key Agreement Protocols Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.

More information

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings

Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March

More information

Lecture 17: Re-encryption

Lecture 17: Re-encryption 600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy

More information

1 Recap: Perfect Secrecy. 2 Limits of Perfect Secrecy. Recall from last time:

1 Recap: Perfect Secrecy. 2 Limits of Perfect Secrecy. Recall from last time: Theoretical Foundations of Cryptography Lecture 2 Georgia Tech, Spring 2010 Computational Hardness 1 Recap: Perfect Secrecy Instructor: Chris Peikert Scribe: George P. Burdell Recall from last time: Shannon

More information

1 Signatures vs. MACs

1 Signatures vs. MACs CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures

More information

Cryptanalysis of a Verifiably Committed Signature Scheme based on GPS and RSA

Cryptanalysis of a Verifiably Committed Signature Scheme based on GPS and RSA Cryptanalysis of a Verifiably Committed Signature Scheme based on GPS and RSA Julien Cathalo, Benoît Libert and Jean-Jacques Quisquater Université catholique de Louvain Place du Levant 3 1348 Louvain-la-Neuve,

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Identity-based Encryption with Efficient Revocation

Identity-based Encryption with Efficient Revocation A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identity-based Encryption

More information

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Key Refreshing in Identity-based Cryptography and its Application in MANETS

Key Refreshing in Identity-based Cryptography and its Application in MANETS Key Refreshing in Identity-based Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20

More information

Some Identity Based Strong Bi-Designated Verifier Signature Schemes

Some Identity Based Strong Bi-Designated Verifier Signature Schemes Some Identity Based Strong Bi-Designated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra-282002 (UP), India. E-mail- sunder_lal2@rediffmail.com,

More information

Multi-Channel Broadcast Encryption

Multi-Channel Broadcast Encryption Multi-Channel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content

More information

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood

An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood An Introduction to Identity-based Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of public-key cryptography is its dependence on a public-key infrastructure

More information

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords

Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords Efficient Password-Authenticated Key Exchange Using Human-Memorable Passwords Jonathan Katz 1 Rafail Ostrovsky 2 Moti Yung 3 1 Telcordia Technologies and Department of Computer Science, Columbia University.

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Identity-Based Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 94305-9045 dabo@cs.stanford.edu 2 Computer Science Department,

More information

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Improved Online/Offline Signature Schemes

Improved Online/Offline Signature Schemes Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion

More information

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts

New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko 1 and Brent Waters 2 1 University of Texas Austin alewko@cs.utexas.edu 2 University of Texas at Austin

More information

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK

COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK COMPARATIVE ANALYSIS OF IDENTITY-BASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK Ms. Priyanka Bubna 1, Prof. Parul Bhanarkar Jha 2 1 Wireless Communication & Computing, TGPCET/RTM

More information

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

More information

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption

Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Efficient Multi-Receiver Identity-Based Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh Safavi-Naini Willy Susilo Centre for Information Security Research School of Information

More information

Public Key Encryption with Keyword Search Revisited

Public Key Encryption with Keyword Search Revisited Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

Identity based cryptography

Identity based cryptography Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography

More information

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name

More information

Digital Signatures. What are Signature Schemes?

Digital Signatures. What are Signature Schemes? Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public

More information

Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model

Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model Simple and Efficient Public-Key Encryption from Computational Diffie-Hellman in the Standard Model Kristiyan Haralambiev 1 Tibor Jager 2 Eike Kiltz 3 Victor Shoup 4 Abstract This paper proposes practical

More information

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1

Cryptography CS 555. Topic 3: One-time Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1 Cryptography CS 555 Topic 3: One-time Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline One-time pad Perfect secrecy Limitation of perfect secrecy Usages of one-time pad

More information

The Journal of Systems and Software

The Journal of Systems and Software The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DL-based certificateless

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Cryptographic treatment of CryptDB s Adjustable Join

Cryptographic treatment of CryptDB s Adjustable Join Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable

More information

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

More information

Relations Among Notions of Security for Identity Based Encryption Schemes

Relations Among Notions of Security for Identity Based Encryption Schemes Relations Among Notions of Security for Identity Based Encryption Schemes Nuttapong Attrapadung 1, Yang Cui 1, David Galindo 2, Goichiro Hanaoka 3, Ichiro Hasuo 2, Hideki Imai 1,3, Kanta Matsuura 1, Peng

More information

Provably Secure Timed-Release Public Key Encryption

Provably Secure Timed-Release Public Key Encryption Provably Secure Timed-Release Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota - Twin Cities A timed-release

More information

Secure Key Issuing in ID-based Cryptography

Secure Key Issuing in ID-based Cryptography Secure Key Issuing in ID-based Cryptography Byoungcheon Lee 1,2 Colin Boyd 1 Ed Dawson 1 Kwangjo Kim 3 Jeongmo Yang 2 Seungjae Yoo 2 1 Information Security Research Centre, Queensland University of Technology,

More information

Provable-Security Analysis of Authenticated Encryption in Kerberos

Provable-Security Analysis of Authenticated Encryption in Kerberos Provable-Security Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 30332-0765

More information

1 Domain Extension for MACs

1 Domain Extension for MACs CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).

More information

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

More information

Identity Based Encryption: An Overview

Identity Based Encryption: An Overview Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.

More information

Adaptively-Secure, Non-Interactive Public-Key Encryption

Adaptively-Secure, Non-Interactive Public-Key Encryption Adaptively-Secure, Non-Interactive Public-Key Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.

More information

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings

New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh Safavi-Naini 1 and Chih-Yin Lin 2 1 School of Information Technology and Computer

More information

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

More information

A Survey of Identity-Based Cryptography

A Survey of Identity-Based Cryptography A Survey of Identity-Based Cryptography Joonsang Baek 1 Jan Newmarch 2, Reihaneh Safavi-Naini 1, and Willy Susilo 1 1 School of Information Technology and Computer Science, University of Wollongong {baek,

More information

Anonymity and Time in Public-Key Encryption

Anonymity and Time in Public-Key Encryption Anonymity and Time in Public-Key Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics

More information

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey

Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Identity-Based Cryptography and Comparison with traditional Public key Encryption: A Survey Girish Department of PGS-CEA The National Institute of Engineering, Manadavady Road,Mysore-570008, INDIA Phaneendra

More information

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

Twin Signatures: an Alternative to the Hash-and-Sign Paradigm Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the Hash-and-Sign Paradigm

More information

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23 Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

More information