Threshold Identity Based Encryption Scheme without Random Oracles


 Bathsheba Sims
 2 years ago
 Views:
Transcription
1 WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College Sun Yatsen University Guangzhou, P.R. China Abstract The first threshold identitybased encryption scheme secure against chosen identity and ciphertext attacks is proposed in this paper. Our construction is based on the recently proposed identitybased encryption scheme of Waters in EUROCRYPT The new threshold identitybased encryption scheme is noninteractive and does not rely on the random oracle model. Key words: Threshold encryption, IdentityBased, Bilinear pairings, Provable security 1 Introduction Identitybased cryptosystem [16] is a public key cryptosystem where the public key can be an arbitrary string such as an address. A private key generator (PKG) uses a master secret key to issue private keys to identities that request them. For an IdentityBased Encryption (IBE) scheme, Alice can securely encrypt a message to Bob using Bob s identity, such as address, as the public key. Many identitybased signature schemes have been proposed such as [1,11] since shamir proposed the Identitybased cryptosystem. However, until 2001, Boneh and Franklin [7] proposed the first practical 1 This work is supported by the National Natural Science Foundation of China NO The first author is supported by KaiSi Grant 2 This paper is electronically published in Electronic Notes in Theoretical Computer Science URL:
2 identitybased encryption scheme, which is provably secure in the random oracle model. Subsequently, Waters proposed the first provably secure IBE [18] without relying on the random oracle model in EUROCRYPT In a (k, n)threshold encryption system, an entity, called the combiner, has a ciphertext C that it wishes to decrypt. The combiner sends C to the decryption servers, and receives partial decryption shares from at least k out of the n decryption servers. It then combines these k partial decryptions into a complete decryption of C. Ideally, there is no other interaction in the system, namely the servers need not talk to each other during decryption. Such threshold systems are called noninteractive. Meanwhile, often one requires that threshold decryption be robust [13, 17], namely if threshold decryption of a valid ciphertext fails, the combiner can identify the decryption servers that supplied invalid partial decryptions. In order to prevent a single PKG from full possession of the master key in identitybased encryption, Boneh and Franklin [7] suggested that the PKG s master key should be shared among a number of PKGs using the techniques of threshold cryptography, which they call distributed PKG. A (k, n)threshold identitybased encryption (T IBE) [6] is an identitybased system where the master secret key is distributed among n PKGs so that at least k PKGs are needed for key generation. Many reductionist security proofs used the random oracle model [2]. Several papers proved that some popular cryptosystems previously proved secure in the random oracle are actually provably insecure when the random oracle is instantiated by any realworld hashing functions [3]. Therefore, provably secure T IBE scheme in the standard model attracts a great interest. The first T IBE without random oracles was proposed by Boneh et al. [6], however, it is only semantically and selectiveid secure. In this paper, we propose a new T IBE scheme based on the recently proposed identitybased encryption scheme [18] by Waters. The new T IBE scheme is the first T IBE scheme that can be proved to be adaptively chosen identity and chosen ciphertext secure without relying on the random oracle model. Organization. The next section briefly gives the definition of T IBE and explains the bilinear pairing and some problems related to pairings. Section 3 shows a concrete construction of T IBE. Its security analysis is also given in this section. The paper ends with some concluding remarks. 2 Preliminaries 2.1 Security Definitions and Notions We shows the definition as follows: Definition 2.1 A (k, n)t IBE scheme consists of algorithms (Setup, ShareKeyGen, 2
3 ShareVerify, Combine, Encrypt, ValidateCT, Decrypt). specified as follows: Li These algorithms are 1. Setup is parameter generation algorithm. Takes as input the number of decryption servers n, a threshold k where 1 k n, and a security parameter 1 λ. It outputs a triple (P K, V K, SK), where P K is called the system parameters, V K is called a verification key, and SK = (SK 1,, SK n ) is a vector of master key shares. Decryption server i is given the master key share (i, SK i ); 2. ShareKeyGen: Takes as input the system parameters P K, an identity ID, and a master key share (i, SK i ). It outputs a private key share θ i for ID. 3. ShareVerify: Takes as input the system parameters P K, the verification key V K, an identity ID, and a private key share θ i. It outputs 1 if it is valid or 1 if it is invalid. 4. Combine: Takes as input P K, V K, an identity ID and k private key shares θ 1,, θ k, it outputs d ID or. 5. Encrypt: Takes P K, an identity ID, and a message M, and outputs a ciphertext C. 6. ValidateCT: Takes as input PK, an identity ID, and a ciphertext C. It outputs 1 if it is valid or 0 if it is invalid. 7. Decrypt: Takes as input P K, ID, a private key d ID, and a ciphertext C. It outputs a message M or. Security of a T IBE is defined using two properties: security against chosen identity attacks and consistency of key generation. There are two ways to define chosen identity attacks against IBE schemes, depending on whether the adversary chooses the target identity adaptively (an adaptiveid attack [7]) or selects it in advance (a selectiveid attack [5]). It only proposed a scheme secure against selectiveid attack in [6]. We now define a security notion for the T IBE scheme against chosen identity and chosenciphertext attacks. Its formal definition is based on the following game between a challenger and a static adversary A. Both are given n, k, and a security parameter λ as input. Initialization: The adversary outputs a set S {1,, n} of k 1 decryption servers to corrupt. Setup: The challenger runs Setup to obtain a random instance (P K, V K, SK) where SK = (SK 1,, SK n ). It gives the adversary P K, V K, and all (j, SK j ) for j S. Phase 1: The adversary adaptively issues chosen identity queries (ID, i). The challenger responds with ShareKeyGen(P K, i, SK i, ID). Meanwhile, it can also issue chosen ciphertext queries (ID, C), the challenger responds with Decrypt(C, SK i, ID). 3
4 Challenge: A outputs an identity ID, and two equal length plaintexts m 0,m 1 for challenge ciphertext. The challenger chooses a random b {0, 1} and sends the challenge ciphertext C =Enc(ID, m b ) to A. Phase 2: A continues to query as in phase 1. Guess: Finally, A outputs a guess bit b. We say that A wins the game if b =b. The advantage Adv cca A (1 k ) of A is defined as the probability that it wins the game over 1 2. Definition 2.2 An T IBE scheme is secure if Adv cca A (1 λ ) is negligible for any probabilistic polynomial time (PPT) adversary A. 2.2 OneTime Signature Before we give the definition of onetime signature (OTS), we first show the definition of generic signature scheme. A signature scheme is made up of three algorithms, Gen, Sign, and Verify, for generating keys, signing, and verifying signatures, respectively. The standard notion of security for a signature scheme is called existential unforgeability under a chosen message attack [17], which is defined through the following game between a challenger C and an adversary A: 1. C runs Gen(1 λ ) and obtains a public key pk and secret key sk. The public key pk is sent to A. 2. A requests signatures on at most q S messages m i adaptively for i = 1,, q S, C returns the corresponding signature σ i which is obtained by running algorithm Sign. 3. Finally, A outputs (m, σ ), where m is a message, and σ is a signature, such that m are not equal to the inputs of any query to Sign. A wins the game if σ is a valid signature of m. A signature is called secure if A can t output such valid forged signature after the above game. The security definition of OTS is the same as signatures, except that the attacker is restricted to query the signing oracle for only one time, i.e., q S = Pairings and Problems Our scheme uses bilinear pairings on elliptic curves. We now give a brief revision on the property of pairings and some candidate hard problems from pairings that will be used later. Let G, G T be cyclic groups of prime order p, writing the group action multiplicatively. Let g be a generator of G. Definition 2.3 A map ê : G G G T is called a bilinear pairing if, for all x, y G and a, b Z p, we have ê(x a, y b ) = ê(x, y) ab, and ê(g, g) 1. Definition 2.4 (Decision Bilinear DiffieHellman Problem) The Decision BDH 4
5 problem is that, given g,g x, g y, g z (G) 4 for unknown x, y, z Z p, T G T, to decide if T = ê(g, g) xyz. We say that the Decision (t, ɛ)bdh assumption holds in G if no ttime algorithm has the probability at least 1 + ɛ in solving the Decision BDH 2 problem for nonnegligible ɛ. 3 The Threshold IdentityBased Encryption Scheme 3.1 Brief Review of Waters IdentityBased Encryption Let G be a bilinear group of prime order p. Given a pairing: ê : G G G T. Identities will be represented as bitstrings of length n. We can also let identities be arbitrary length and n be the output of a collision resistant hash function. Setup. To generate system parameters, the algorithm selects a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, two random value g 2, u G and a random nlength vector U = (u i ), whose elements are chosen at random from G. The system parameters param = (g, g 1, g 2, u, U) and the master key is g α 2. Extract. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. To generate a private key for ID, the algorithm picks a random r Z p and returns S ID = (d 1, d 2 ), where d 1 = g2 α (u n i )r, d 2 = g r. Enc. To generate the ciphertertext on a plaintext M G T with respect to ID, pick s R Zp, output ciphertext C = (C 1, C 2, C 3 ), where C 1 = ê(g 1, g 2 ) s M, C 2 = g s, C 3 = (u n i )s. Dec. On input ciphertext C = (C 1, C 2, C 3 ), private key S ID ID, output the plaintex M = C 1 ê(d 2,C 3 ). ê(d 1,C 2 ) = (d 1, d 2 ) for 3.2 The Threshold IdentityBased Encryption Scheme without Random Oracles 1. Setup. To generate system parameters, select a random generator g G, picks a random α Z p, and sets g 1 = g α. Additionally, three random values g 2, h, u G and a random nlength vector U = (u i ), whose elements are chosen at random from G. Furthermore, it chooses a k 1 degree function f(x) Z p (x) such that α = f(0) and computes n master key share (i, sk i ) for 1 i n, which is defined as sk i = g f(i) 2. The public verification key VK consists of the ntuple (g f(1),, g f(n) ). Additionally, a hash function H : {0, 1} Z p is defined. The system parameters param = (g, g 1, g 2, h, u, U, VK, H) and the master key share of server i is sk i 5
6 for 1 i n. 2. ShareKeyGen. Let ID=(I 1,, I n ) {0, 1} n be an n bit string representing an identity. Pick a random r i Z p and return d i = (sk i (u n i )r i, g r i ) for 1 i n. 3. ShareVerify. To verify if d i = (d i,1, d i,2 ) is a valid private key share for identity ID=(I 1,, I n ), let V K = (vk 1,, vk n ) where vk i = g f(i). Output 1 or 0 according to the truth of the following condition: ê(d i,1, g) =? ê(vk i, g 2 ) ê(d i,2, u n j=1 ui j j ). 4. Combine. Without loss of generality we assume that decryption servers i = 1,, k were used to generate d 1,, d k. To derive the private key for ID, let λ 1,, λ k Z p be the Lagrange coefficients so that α = f(0) = k i=0 λ if(i). Output the private key d ID =( k i=1 dλ i i,1, k i=1 dλ i i,2 )=(gα 2 (u n i )r, g r ) for some r Z p, which is the same with private key in Waters extraction algorithm. 5. Encrypt. To generate the ciphtertext on a plaintext M G T with respect to ID=(I 1,, I n ) {0, 1} n, it generates a onetime signature key pair (vk, sk) Gen(1 λ ). Then, it picks s R Z p and outputs the ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), where c 1 = ê(g 1, g 2 ) s M, c 2 = g s, c 3 = (u n i )s, c 4 c 5 = Sign sk (c 1, c 2, c 3, c 4 ), c 6 = vk. = (g H(vk) 1 h) s, 6. ValidateCT. To validate a ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ), it checks if Verify c6 (c 5 ) = 1. If it holds, then checks if ê(c 1, u n i=1 u i) = ê(g, c 3 ) and ê(c 1, g H(c 6) 1 h) = ê(g, c 4 ). Output 1 if it holds. Otherwise, output Decrypt. Given ciphertext C = (c 1, c 2, c 3, c 4, c 5, c 6 ) and private key d ID =(d 1,d 2 ), it first check that ValidateCT(P K, ID, C) = 1. If check fails, output and exit. Otherwise, picks a random value r Z p and outputs a plaintext M=c 1 ê (d 2, c 3 ) ê(g r, c 4 )/ ê (d 1 (g H(c 6) 1 h) r, c 2 ). 6
7 3.3 Security Result Theorem 3.1 The T IBE system above is secure against chosen identity and chosen ciphertext attacks if the Decision BDH assumption holds and onetime signature is secure. Proof. Our algorithm C described below solves Decision BDH problem for a randomly given instance {g, X = g x, Y = g y, Z = g z, T } and asked to decide if T = e(g, g) xyz. Setup: Simulator C defines g 1 = X and g 2 = Y. Meanwhile, it runs Gen to get onetime key pair (vk, sk ). It also defines a hash function H : {0, 1} Z p and assigns h = g H(vk ) 1 g ω. It sets an integer, m = 4q E, and chooses an integer, k, uniformly at random between 0 and n. It then chooses a random nlength vector, a = (a i ), where the elements of a are chosen uniformly at random between 0 and m 1. Additionally, the simulator chooses a random b Z p and an nlength vector, b = (b i ), where the elements of b are chosen at random in Z p. These values are all kept internal to the simulator. It then assigns u = g p k m+a 1 g b and the parameter U as u i = g a i 1 g b i for 1 i n. The system parameters (g, g 1, g 2, u, U) are sent to A. To make the notation easier to follow, the following two pairs of functions are defined for an identity ID = {I 1,, I n } {0, 1} n. We define F (ID) = (p mk) + a + n i=1 ai i i. Next, we define J(ID) = b + n i=1 bi i i. Finally, we define a binary function 0, if a + n i=1 K(ID) as K(ID) = ai i i 0 (mod m); 1, otherwise. Assume w.l.o.g. that the adversary corrupted the first k 1 players S = {P 1,..., P k 1 }. Then, C generates the secret key shares for the k 1 corrupted players. To do so, C first picks k 1 random integers x 1,..., x k 1 Z p. Let f Z p [X] be the degree k 1 polynomial implicitly defined to satisfy f(0) = x and f(i) = x i for i = 1,..., k 1. (note that C does not know f since it does not know x). C gives A the k 1 secret key shares sk i = g x i 2. These keys are consistent with this polynomial f since sk i = g f(i) 2 for i = 1,..., k 1. Finally, C constructs the verification key VK, which is a nvector (vk 1,..., vk n ) such that vk i = g f(i) for the polynomial f defined above, as follows: For i S, computing vk i is easy since f(i) is equal to one of the x 1,..., x k 1, which are known to C. Thus, vk 1,..., vk k 1 are easy to compute. For i S, C needs to compute the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j); these Lagrange coefficients can be easily calculated since they do not depend on f. Algorithm C then sets vk i = g λ 0,i 1 vk λ 1,i 1... vk λ k 1,i, which entails that vk i = g f(i) as required. k 1 Once it has computed all the vk i s, C gives to A the verification key VK = (vk 1,..., vk n ). 7
8 Extraction Queries: Assume the adversary asks for at most q E extraction queries. C first computes the Lagrange coefficients λ 0,i, λ 1,i,..., λ k 1,i Z p such that f(i) = λ 0,i f(0) + k 1 j=1 λ j,if(j). Given and identity ID for private key, C will abort if K(ID) = 0. Otherwise, he randomly picks r i Z p and outputs the simulated secret share as: d i = (g λ J(ID) 0,i F (ID) 2 (u n k 1 j=1 λ j,if(j) λ 0,i F (ID) i )r i g2, g2 g r i ). Let ri = r i λ 0,iy (which is not known to C), then F (ID) the correctness of the signature can be verified as follows: g λ J(ID) 0,i F (ID) 2 (u k 1 n i )r i g j=1 λ j,if(j) 2 = g λ 0,ix 2 g λ 0,iy k 1 j=1 λ j,if(j) J(ID) F (ID) 1 g2 g λ 0,i 2 (u n = g f(i) 2 (u n j=1 ui j j )r i. λ 0,i i )r i F (ID) Additionally, we have g2 g r i = g r i. So, it is a valid signature share from the view of A. Decryption Queries: A issues up to q S decryption queries to the uncorrupt servers. Let C = (c 1, c 2, c 3, c 4, c 5, c 6 ) be the ciphertext for decryption query for identity ID = (I 1,, I n ). C first checks if the ciphertext is valid. If it is not, output a distinguished symbol. Otherwise, pick random ω, r Zp and output the plaintext M=c 1 ê (g r, c 3 ) ê(g ω g H(vk ) H(vk) 2, c 4 )/ ê (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2, c 2 ). The correctness of the decryption can be verified as follows: Let r = ω (which is not known to C), then y H(vk) H(vk ) (u n i=1 u i) r (g H(c 6) 1 h) ω g ω(h(vk ) H(vk)) 2 =g2(u x n i=1 (u i) I i ) r (g H(vk) 1 h) r. Furthermore, g ω g H(vk ) H(vk) 2 = g r. Finally, the adversary submits two messages m 0, m 1, and identity ID for challenge ciphertext. If a + n i=1 ai i i km, the challenger will abort and submit a random guess. Otherwise, we have F (ID) 0 (mod p) and the simulator will flip a fair coin, γ, and construct the ciphertext as C = (c 1, c 2, c 3, c 4, c 5, c 6) = (T m γ, Z, Z J(ID ), Z ω, Sign sk (c 1, c 2, c 3, c 4 ), vk ). It is easy to verify it is a valid simulated ciphertext. The simulator repeats the same method as above if the adversary submits extraction queries and decryption queries. Meanwhile, for the onetime signature scheme is secure, the adversary cannot submit a valid ciphertext such that c 6 = vk, otherwise, the onetime signature scheme is insecure. The simulator can simulate the decryption as above. Finally, the adversary A outputs a guess γ of γ. If γ = γ, then C decides that T = ê(g, g) xyz. Otherwise, T ê(g, g) xyz. It is easy to verify that if the advantage of A is ɛ, then C can also have an advantage ɛ to the Decision BDH problem. It remains to analyze the probability of C not aborting. For the simulation to complete without aborting, we require that all extraction queries on an 8
9 identity ID have K(ID) 0 mod m, that challenge query on an identity ID has F(ID ) 0 mod p. In fact, the probability analysis is very similar to [18]. 1 As the analysis in [18], the lower bound of not aborting is 8(n+1)q E. Meanwhile, by combining the abort and nonabort cases, we can get the probability ɛ of solving Decision BDH problem as 32(n+1)q E if the adversary success with probability ɛ. 4 Conclusion We propose the first T IBE scheme secure against chosen identity and chosen ciphertext attacks. Our construction is based on the recently proposed identitybased encryption scheme of Waters in EUROCRYPT Furthermore, the scheme is noninteractive and does not rely on random oracles. References [1] M. Bellare, C.Namprempre, and G.Neven. Security Proofs for Identitybased Identification and Signature Schemes. EuroCrypt 04, LNCS 3027, pp Springer, [2] M.Bellare, P.Rogaway. Random oracles are practical: a paradigm for designing efficient protocols. In First ACM Conference on Computer and Communications Security, ACM, [3] M. Bellare, A. Boldyreva, and A. Palacio. An Uninstantiable RandomOracle Model Scheme for a HybridEncryption Problem. EUROCRYPT 2004, LNCS 3027, pages Springer, [4] D. Boneh and X. Boyen. Short Signatures Without Random Oracles. EUROCRYPT 04, Proceedings, volume 3027 of Lecture Notes in Computer Science, pages 5673, Springer, [5] D. Boneh and X. Boyen. Efficient selectiveid identity based encryption without random oracles. EUROCRYPT 04, LNCS 3027, pages SpringerVerlag, [6] D. Boneh, X. Boyen and S. Halevi. Chosen ciphertext secure public key threshold encryption without random oracles. CTRSA 05. LNCS 3860, pp , springer, [7] D. Boneh and M. Franklin, Identitybased encryption from the Weil pairing, Crypto 01, LNCS 2139, pp , SpringerVerlag, [8] D. Boneh and J. Katz. Improved Efficiency for CCASecure Cryptosystems Built Using IdentityBased Encryption. Topics in CryptologyCTRSA 2005, LNCS 3376, pages , springer,
10 [9] X. Boyen, Q. Mei, and B.Waters. Direct Chosen ciphertext security from identitybased techniques. CCS 05. ACM press, Full version at [10] Canetti, S. Halevi, and J. Katz. Chosenciphertext security from identitybased encryption. EUROCRYPT 04, LNCS 3027, pages , SpringerVerlag, [11] J.C. Cha and J.H. Cheon, An identitybased signature from gap DiffieHellman groups, PKC 03, LNCS 2567, pp , SpringerVerlag, [12] R. Cramer and V. Shoup. A Practical Public Key Cryptosystem Provably Secure Against Chosen Ciphertext Attack. Crypto 98, LNCS 1462, Springer Verlag, pp , [13] P. Fouque and D. Pointcheval, Threshold Cryptosystems Secure Chosen Ciphertext Attacks, Proceedings of ASIACRYPT 2001, LNCS 2248, pages , SpringerVerlag, [14] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin, Secure Distributed Key Generation for DiscreteLog Based Cryptosystem, Proceedings of EUROCRYPT 99, LNCS 1592, pages , SpringerVerlag, [15] Y. Mu, V. Varadharajan, and K. Nguyen, Delegated decryption, IMACrypto Coding 99, LNCS 1746, pp , SpringerVerlag, [16] A.Shamir, Identitybased cryptosystems and signature schemes, Crypto 84, LNCS 196, pp.4753, SpringerVerlag, [17] V. Shoup and R. Gennaro, Securing Threshold Cryptosystems against Chosen Ciphertext Attack, Journal of Cryptology, Vol. 15, pages 7596, SpringerVerlag, [18] B.Waters, Efficient Identity based Encryption without random oracles. EUROCRYPT 2005, LNCS 3494, pp , SpringerVerlag,
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More informationEfficient Hierarchical Identity Based Encryption Scheme in the Standard Model
Informatica 3 (008) 07 11 07 Efficient Hierarchical Identity Based Encryption Scheme in the Standard Model Yanli Ren and Dawu Gu Dept. of Computer Science and Engineering Shanghai Jiao Tong University
More informationencryption Presented by NTU Singapore
A survey on identity based encryption Presented by Qi Saiyu NTU Singapore Outline Introduction of public key encryption Identitybased encryption (IBE) Hierarchical identity based encryption (HIBE) Before
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationHybrid Signcryption Schemes with Insider Security (Extended Abstract)
Hybrid Signcryption Schemes with Insider Security (Extended Abstract) Alexander W. Dent Royal Holloway, University of London Egham Hill, Egham, Surrey, TW20 0EX, U.K. a.dent@rhul.ac.uk http://www.isg.rhul.ac.uk/~alex/
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationCryptography. Identitybased Encryption. JeanSébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg
Identitybased Encryption Université du Luxembourg May 15, 2014 Summary IdentityBased Encryption (IBE) What is IdentityBased Encryption? Difference with conventional PK cryptography. Applications of
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationEfficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model *
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 0, 55568 (04) Efficient CertificateBased Encryption Scheme Secure Against Key Replacement Attacks in the Standard Model * College of Computer and Information
More informationCiphertextAuditable Identitybased Encryption
International Journal of Network Security, Vol.17, No.1, PP.23 28, Jan. 2015 23 CiphertextAuditable Identitybased Encryption Changlu Lin 1, Yong Li 2, Kewei Lv 3, and ChinChen Chang 4,5 (Corresponding
More informationA New and Efficient Signature on Commitment Values
International Journal of Network Security, Vol.7, No., PP.0 06, July 2008 0 A New and Efficient Signature on Commitment Values Fangguo Zhang,3, Xiaofeng Chen 2,3, Yi Mu 4, and Willy Susilo 4 (Corresponding
More informationIEEE Draft P1363.3. Identity Based Public Key Cryptography Based On Pairings. Daniel Schliebner. 14. Dezember 2009
Identity Based Public Key Cryptography Based On Pairings 14. Dezember 2009 Gliederung Introduction Identity Based Encryption The Protocol Security Of The Protocol Discussion About The Headline Identity
More informationIntroduction to Security Proof of Cryptosystems
Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCAsecure publickey encryption schemes (i.e., schemes
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of
More informationIdentity Based Undeniable Signatures
Identity Based Undeniable Signatures Benoît Libert JeanJacques Quisquater UCL Crypto Group Place du Levant, 3. B1348 LouvainLaNeuve. Belgium {libert,jjq}@dice.ucl.ac.be http://www.uclcrypto.org/ Abstract.
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationChosenCiphertext Security from IdentityBased Encryption
ChosenCiphertext Security from IdentityBased Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCAsecure publickey encryption schemes
More informationFuzzy Identity Based Encryption Preliminary Version
Fuzzy Identity Based Encryption Preliminary Version Amit Sahai Brent R. Waters Abstract We introduce a new type of Identity Based Encryption (IBE) scheme that we call Fuzzy Identity Based Encryption. A
More informationNonInteractive CCASecure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions
NonInteractive CCASecure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationLecture 25: PairingBased Cryptography
6.897 Special Topics in Cryptography Instructors: Ran Canetti and Ron Rivest May 5, 2004 Lecture 25: PairingBased Cryptography Scribe: Ben Adida 1 Introduction The field of PairingBased Cryptography
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationMultiauthority attributebased encryption with honestbutcurious central authority
International Journal of Computer Mathematics Vol. 89, No. 3, February 2012, 268 283 Multiauthority attributebased encryption with honestbutcurious central authority Vladimir Božović a, Daniel Socek
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationA Method for Making PasswordBased Key Exchange Resilient to Server Compromise
A Method for Making PasswordBased Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu
More informationPublicKey Encryption (Asymmetric Encryption)
PublicKey Encryption (Asymmetric Encryption) Summer School, Romania 2014 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 The story so far (PrivateKey Crypto) Alice establish secure
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA JeanSébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jeansebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationEfficient Unlinkable Secret Handshakes for Anonymous Communications
보안공학연구논문지 (Journal of Security Engineering), 제 7권 제 6호 2010년 12월 Efficient Unlinkable Secret Handshakes for Anonymous Communications EunKyung Ryu 1), KeeYoung Yoo 2), KeumSook Ha 3) Abstract The technique
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More informationCCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction
International Journal of Network Security, Vol.16, No.3, PP.174181, May 2014 174 CCLAS: A Practical and Compact Certificateless Aggregate Signature with Share Extraction Min Zhou 1, Mingwu Zhang 2, Chunzhi
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationSecure Identity Based Encryption Without Random Oracles
An extended abstract of this paper is to appear in Advances in Cryptology CRYPTO 2004, SpringerVerlag. Secure Identity Based Encryption Without Random Oracles Dan Boneh dabo@cs.stanford.edu Xavier Boyen
More informationA Performance Analysis of IdentityBased Encryption Schemes
A Performance Analysis of IdentityBased Encryption Schemes Pengqi Cheng, Yan Gu, Zihong Lv, Jianfei Wang, Wenlei Zhu, Zhen Chen, Jiwei Huang Tsinghua University, Beijing, 084, China Abstract We implemented
More informationTitle Goes Here An Introduction to Modern Cryptography. Mike Reiter
Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationNonInteractive CCASecure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions
NonInteractive CCASecure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBCMAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationUniversally Composable IdentityBased Encryption
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationAcknowledgements. Notations and abbreviations
Abstract This work explains the fundamental definitions required to define and create Fuzzy Identity Based Encryption schemes as an errortolerant version of IdentityBased Encryption schemes, along with
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationIdentitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks
Identitybased Encryption with PostChallenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen  Huawei, Singapore Ye Zhang  Pennsylvania State University, USA Siu Ming
More informationAnalysis of PrivacyPreserving Element Reduction of Multiset
Analysis of PrivacyPreserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaCRIM, Seoul
More informationCOM S 687 Introduction to Cryptography October 19, 2006
COM S 687 Introduction to Cryptography October 19, 2006 Lecture 16: NonMalleability and Public Key Encryption Lecturer: Rafael Pass Scribe: Michael George 1 NonMalleability Until this point we have discussed
More informationPassword Protected Smart Card and Memory Stick Authentication Against Offline Dictionary Attacks
Password Protected Smart Card and Memory Stick Authentication Against Offline Dictionary Attacks Yongge Wang Department of Software and Information Systems UNC Charlotte, Charlotte, NC 28223, USA yonwang@uncc.edu
More informationIdentityBased Encryption: A 30Minute Tour. Palash Sarkar
IdentityBased Encryption: A 30Minute Tour Palash Sarkar Applied Statistics Unit Indian Statistical Institute, Kolkata India palash@isical.ac.in Palash Sarkar (ISI, Kolkata) IBE: Some Issues ISI, Kolkata,
More informationSecure and Efficient Identitybased Proxy Multisignature Using Cubic Residues
International Journal of Network Security, Vol.18, No.1, PP.9098, Jan. 2016 90 Secure and Efficient Identitybased Proxy Multisignature Using Cubic Residues Feng Wang 1,2, ChinChen Chang 2,3, Changlu
More informationModular Security Proofs for Key Agreement Protocols
Modular Security Proofs for Key Agreement Protocols Caroline Kudla and Kenneth G. Paterson Information Security Group Royal Holloway, niversity of London, K {c.j.kudla,kenny.paterson}@rhul.ac.uk Abstract.
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationLecture 17: Reencryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Reencryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More information1 Recap: Perfect Secrecy. 2 Limits of Perfect Secrecy. Recall from last time:
Theoretical Foundations of Cryptography Lecture 2 Georgia Tech, Spring 2010 Computational Hardness 1 Recap: Perfect Secrecy Instructor: Chris Peikert Scribe: George P. Burdell Recall from last time: Shannon
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationCryptanalysis of a Verifiably Committed Signature Scheme based on GPS and RSA
Cryptanalysis of a Verifiably Committed Signature Scheme based on GPS and RSA Julien Cathalo, Benoît Libert and JeanJacques Quisquater Université catholique de Louvain Place du Levant 3 1348 LouvainlaNeuve,
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationIdentitybased Encryption with Efficient Revocation
A preliminary version of this paper appears in Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2008, ACM Press, 2008. This is the full version. Identitybased Encryption
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationKey Refreshing in Identitybased Cryptography and its Application in MANETS
Key Refreshing in Identitybased Cryptography and its Application in MANETS Shane Balfe, Kent D. Boklan, Zev Klagsbrun and Kenneth G. Paterson Royal Holloway, University of London, Egham, Surrey, TW20
More informationSome Identity Based Strong BiDesignated Verifier Signature Schemes
Some Identity Based Strong BiDesignated Verifier Signature Schemes Sunder Lal and Vandani Verma Department of Mathematics, Dr. B.R.A. (Agra), University, Agra282002 (UP), India. Email sunder_lal2@rediffmail.com,
More informationMultiChannel Broadcast Encryption
MultiChannel Broadcast Encryption Duong Hieu Phan 1,2, David Pointcheval 2, and Viet Cuong Trinh 1 1 LAGA, University of Paris 8 2 ENS / CNRS / INRIA Abstract. Broadcast encryption aims at sending a content
More informationAn Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood
An Introduction to Identitybased Cryptography CSEP 590TU March 2005 Carl Youngblood One significant impediment to the widespread adoption of publickey cryptography is its dependence on a publickey infrastructure
More informationEfficient PasswordAuthenticated Key Exchange Using HumanMemorable Passwords
Efficient PasswordAuthenticated Key Exchange Using HumanMemorable Passwords Jonathan Katz 1 Rafail Ostrovsky 2 Moti Yung 3 1 Telcordia Technologies and Department of Computer Science, Columbia University.
More informationIdentityBased Encryption from the Weil Pairing
IdentityBased Encryption from the Weil Pairing Dan Boneh 1, and Matt Franklin 2 1 Computer Science Department, Stanford University, Stanford CA 943059045 dabo@cs.stanford.edu 2 Computer Science Department,
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationImproved Online/Offline Signature Schemes
Improved Online/Offline Signature Schemes Adi Shamir and Yael Tauman Applied Math. Dept. The Weizmann Institute of Science Rehovot 76100, Israel {shamir,tauman}@wisdom.weizmann.ac.il Abstract. The notion
More informationNew Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts
New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts Allison Lewko 1 and Brent Waters 2 1 University of Texas Austin alewko@cs.utexas.edu 2 University of Texas at Austin
More informationCOMPARATIVE ANALYSIS OF IDENTITYBASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK
COMPARATIVE ANALYSIS OF IDENTITYBASED ENCRYPTION WITH TRADITIONAL PUBLIC KEY ENCRYPTION IN WIRELESS NETWORK Ms. Priyanka Bubna 1, Prof. Parul Bhanarkar Jha 2 1 Wireless Communication & Computing, TGPCET/RTM
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationEfficient MultiReceiver IdentityBased Encryption and Its Application to Broadcast Encryption
Efficient MultiReceiver IdentityBased Encryption and Its Application to Broadcast Encryption Joonsang Baek Reihaneh SafaviNaini Willy Susilo Centre for Information Security Research School of Information
More informationPublic Key Encryption with Keyword Search Revisited
Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh SafiaviNaini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationIdentity based cryptography
Identity based cryptography The case of encryption schemes David Galindo d.galindo@cs.ru.nl Security of Systems Department of Computer Science Radboud Universiteit Nijmegen Identity based cryptography
More informationIdentitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012
Identitybased encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identitybased encryption Publickey encryption, where public key = name
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counterparts of the message authentication schemes in the public
More informationSimple and Efficient PublicKey Encryption from Computational DiffieHellman in the Standard Model
Simple and Efficient PublicKey Encryption from Computational DiffieHellman in the Standard Model Kristiyan Haralambiev 1 Tibor Jager 2 Eike Kiltz 3 Victor Shoup 4 Abstract This paper proposes practical
More informationCryptography CS 555. Topic 3: Onetime Pad and Perfect Secrecy. CS555 Spring 2012/Topic 3 1
Cryptography CS 555 Topic 3: Onetime Pad and Perfect Secrecy CS555 Spring 2012/Topic 3 1 Outline and Readings Outline Onetime pad Perfect secrecy Limitation of perfect secrecy Usages of onetime pad
More informationThe Journal of Systems and Software
The Journal of Systems and Software 82 (2009) 789 793 Contents lists available at ScienceDirect The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss Design of DLbased certificateless
More informationVictor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract
Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart
More informationCryptographic treatment of CryptDB s Adjustable Join
Cryptographic treatment of CryptDB s Adjustable Join Raluca Ada Popa and Nickolai Zeldovich MIT CSAIL March 25, 2012 1 Introduction In this document, we provide a cryptographic treatment of the adjustable
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Postquantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationRelations Among Notions of Security for Identity Based Encryption Schemes
Relations Among Notions of Security for Identity Based Encryption Schemes Nuttapong Attrapadung 1, Yang Cui 1, David Galindo 2, Goichiro Hanaoka 3, Ichiro Hasuo 2, Hideki Imai 1,3, Kanta Matsuura 1, Peng
More informationProvably Secure TimedRelease Public Key Encryption
Provably Secure TimedRelease Public Key Encryption JUNG HEE CHEON Seoul National University, Korea and NICHOLAS HOPPER, YONGDAE KIM and IVAN OSIPKOV University of Minnesota  Twin Cities A timedrelease
More informationSecure Key Issuing in IDbased Cryptography
Secure Key Issuing in IDbased Cryptography Byoungcheon Lee 1,2 Colin Boyd 1 Ed Dawson 1 Kwangjo Kim 3 Jeongmo Yang 2 Seungjae Yoo 2 1 Information Security Research Centre, Queensland University of Technology,
More informationProvableSecurity Analysis of Authenticated Encryption in Kerberos
ProvableSecurity Analysis of Authenticated Encryption in Kerberos Alexandra Boldyreva Virendra Kumar Georgia Institute of Technology, School of Computer Science 266 Ferst Drive, Atlanta, GA 303320765
More information1 Domain Extension for MACs
CS 127/CSCI E127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures KatzLindell Ÿ4.34.4 (2nd ed) and Ÿ12.012.3 (1st ed).
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationIdentity Based Encryption: An Overview
Identity Based Encryption: An Overview Palash Sarkar Indian Statistical Institute IBE Overview p. Structure of Presentation Conceptual overview and motivation. Some technical details. Brief algebraic background.
More informationAdaptivelySecure, NonInteractive PublicKey Encryption
AdaptivelySecure, NonInteractive PublicKey Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.
More informationNew Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings
New Proxy Signature, Proxy Blind Signature and Proxy Ring Signature Schemes from Bilinear Pairings Fangguo Zhang 1, Reihaneh SafaviNaini 1 and ChihYin Lin 2 1 School of Information Technology and Computer
More informationSECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIEHELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationA Survey of IdentityBased Cryptography
A Survey of IdentityBased Cryptography Joonsang Baek 1 Jan Newmarch 2, Reihaneh SafaviNaini 1, and Willy Susilo 1 1 School of Information Technology and Computer Science, University of Wollongong {baek,
More informationAnonymity and Time in PublicKey Encryption
Anonymity and Time in PublicKey Encryption Elizabeth Anne Quaglia Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group Department of Mathematics
More informationIdentityBased Cryptography and Comparison with traditional Public key Encryption: A Survey
IdentityBased Cryptography and Comparison with traditional Public key Encryption: A Survey Girish Department of PGSCEA The National Institute of Engineering, Manadavady Road,Mysore570008, INDIA Phaneendra
More informationTwin Signatures: an Alternative to the HashandSign Paradigm
Proceedings of the 8th ACM Conference on Computer and Communications Security. Pages 20 27. (november 5 8, 2001, Philadelphia, Pennsylvania, USA) Twin Signatures: an Alternative to the HashandSign Paradigm
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More information