Definitions for Predicate Encryption
|
|
- Octavia Stanley
- 8 years ago
- Views:
Transcription
1 Definitions for Predicate Encryption Giuseppe Persiano Dipartimento di Informatica, Università di Salerno, Italy Thursday 12 th April, 2012 Cryptographic Proofs 1
2 Content Results on simulation-based definitions for Secure Predicate Encryption. Work in progress Joint with Manuel Barbosa, Angelo De Caro, Pooya Farshim, Vincenzo Iovino Cryptographic Proofs 2
3 Secure Encryption Scheme Informal: An encryption scheme is secure: An adversary, who knows the encryption algorithm and is given the cyphertext, cannot obtain any information about the cleartext. S. Goldwasser and S. Micali: Probabilistic Encryption and How To Play Mental Poker, STOC 82 Probabilistic Encryption, JCSS 84 Cryptographic Proofs 3
4 Formalization Syntax An Encryption Scheme is a tuple of 3 efficient and probabilistic algorithms: (Gen,E,D) 1 Gen(1 λ ) outputs public and secret keys (pk,sk) with security parameter λ; 2 E(pk, m) outputs ciphertext ct for plaintext m; 3 D(pk, ct, sk) outputs plaintext for ciphertext ct; Correctness: except with probability negligible in λ, if (pk,sk) Gen(1 λ ) then D(pk,E(pk,m),sk) = m Cryptographic Proofs 4
5 Formalization Game-based: (IND-Secure) A game between Adversary and C hallenger: Security Game with security parameter λ 1 C generates (pk,sk) Gen(1 λ ) and sends pk to A; 2 A(pk) returns two messages m 0 and m 1 of the same length; 3 C picks b {0,1} at random, computes ct = E(pk,m b ) sends ct to A; 4 A(pk,ct) outputs b ; Cryptographic Proofs 5
6 Formalization Game-based: (IND-Secure) Definitions 1 A wins if b = b 2 A breaks (Gen,E,D) if A wins with probability 1/2+1/poly(λ); 3 (Gen,E,D) is IND-Secure if no PPT A breaks it. Cryptographic Proofs 6
7 Formalization Simulation-based: (Semantic Security) Real world 1 (pk,sk) Gen(1 λ ); 2 (m,aux) A 0 (pk); 3 ct E(pk,m); 4 α A 1 (pk,ct,aux); Output: (pk,m,aux,α) Ideal world 1 (pk,sk) Gen(1 λ ); 2 (m,aux) A 0 (pk); 3 ct Sim(pk, m ); 4 α A 1 (pk,ct,aux); Output: (pk,m,aux,α) Cryptographic Proofs 7
8 Equivalence of the two notions Theorem (Goldwasser-Micali) (Gen, E, D) is Semantic-Secure iff it is IND-Secure. IND Security implies Semantic Security: Proof s sketch: Simulator computes ct = E(pk,m ) for an arbitrary message m of length m. Cryptographic Proofs 8
9 The original goal: An adversary, who knows the encryption algorithm and is given the cyphertext, cannot obtain any information about the cleartext (except for its length). New questions: Q: Can we control amount of information released by the ciphertexts? Q: Can we give different adversaries the ability to extract different bits of the plaintext? Q: Or compute different predicates of the plaintext? Cryptographic Proofs 9
10 Application scenario Reading s Alice keeps her on a public server. For privacy, messages are sent in encrypted form. Alice dowloads a message, decrypts it, and reads it. Searching s 1st try Alice wants to download all messages with subject=projectx. Alice dowloads all the messages, decrypts all of them, and selects the ones related to ProjectX. Cryptographic Proofs 10
11 Predicate Encryption Syntax Functionality F : K M {0,1} A Predicate Encryption scheme for F is a tuple of 4 efficient and probabilistic algorithms: (Setup, KeyGen, Encrypt, Eval) Predicate Encryption Scheme 1 Setup(1 λ ) outputs public and master secret keys (Pk,Msk) for security parameter λ 2 KeyGen(Msk,k) outputs token Tok k for k K 3 Encrypt(Pk, m) outputs ciphertexts Ct for plaintext m M 4 Eval(Pk,Ct,Tok k ) outputs F(k,m) Cryptographic Proofs 11
12 Game-based Security Notion Security Game with security parameter λ 1 C generates (Pk,Sk) Gen(1 λ ) and sends Pk to A; 2 A asks for tokens Tok k1,tok k2,...,tok kq1 for F(k 1, ),...,F(k q1, ). 3 A outputs two messages m 0 and m 1 of the same length; 4 C picks b {0,1} at random, computes Ct = Encrypt(Pk,m b ) sends Ct to A; 5 A asks for tokens Tok kq1 +1,...,Tok k q for F(k q1 +1, ),...,F(k q, ). 6 A outputs b ; Cryptographic Proofs 12
13 Game-based Security Notion Definitions 1 A wins if b = b and F(k i,m 0 ) = F(k i,m 1 ), i = 1,...,q 2 A breaks (Setup, KeyGen, Encrypt, Eval) if A wins with probability 1/2 + 1/poly(λ) 3 (Setup, KeyGen, Encrypt, Eval) is IND-Secure if no PPT A breaks it Cryptographic Proofs 13
14 Secure Encryption and Secure Predicate Encryption Observation Game-Based Secure Encryption [GM] is Game-Based Secure Predicate Encryption with K = {ǫ} and F(ǫ,m) = m. Cryptographic Proofs 14
15 Some functionalities Equality K = M = {0,1} l F(k,m) = 1 iff k = m [Boneh, Di Crescenzo, Ostrovsky, P Eurocrypt 2004] Hidden Vector Encryption M = {0,1} l,k = {0,1, } l F(k,m) = 1 iff k i = or k i = m i, i = 1,...,l. [Boneh, Waters TCC 2007] [Okamoto, Takashima Eurocrypt 2012] [De Caro, Iovino, P Pairing 2012] Obs: HVE implies Equality Cryptographic Proofs 15
16 Some functionalities Inner Product (Orthogonality) K = M = Z l n F(k,m) = 1 iff i k i m i = 0 (that is, k,m = 0). [Katz, Sahai, Waters Eurocrypt 2008] [Okamoto, Takashima Eurocrypt 2012] Proposition: Inner Product implies HVE [KSW] Cryptographic Proofs 16
17 Weakness of Game-Based Security [Boneh, Sahai, Waters TCC 11] Simple scheme for predicate encryption that was clearly insecure and nonetheless satisfied the Game-based security notion Time for a Simulation-Based Notion of Security. Cryptographic Proofs 17
18 Formalization Simulation-based: (Semantic Security) Informal Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); Ct Encrypt(Pk,m); Ct Sim(Pk, m,(k i,f(k i,m)) q i=1 ); α A 1 (Pk,Ct,aux); α A 1 (Pk,Ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) A 0 has asked and received tokens Tok ki for k i, i = 1,...,q Cryptographic Proofs 18
19 Our Formalization is different from [BSW] Some differences In the [BSW] definition: Pk of Ideal world generated by Simulator Adversary outputs several messages Adversary allowed to ask for tokens after seeing the ciphertext Cryptographic Proofs 19
20 Proof of equivalence breaks down Simulator computes Ct = Encrypt(Pk,m ) for an arbitrary message m of length m. Adversary A 0 : aux includes (Tok ki,f(k i,m)), for i = 1,...,q. Adversary A 1 : Real world: Eval(Pk,Ct,Tok ki ) = F(k i,m), i = 1,...,q Ideal world: Eval(Pk,Ct,Tok ki ) = F(k i,m ), i = 1,...,q Different unless F(k i,m) = F(k i,m ), i = 1,...,q. Cryptographic Proofs 20
21 Pre-image samplability Functionality F : K M {0,1} is PS if there exists an efficient sampler Sam such that for all efficient adversaries A: Adversary A: output: l,(k i,b i ) q i=1, with k i K, i = 1,...,q Sampler Sam: input: l,(k i,b i ) q i=1 output: Message m M s.t. F(k i,m) = b i, i = 1,...,q and m = l Similar to PS of O Neil. Cryptographic Proofs 21
22 Pre-image samplability The simulator Sim input: (Pk, m,(k i,f(k i,m)) q i=1 ) run Sam on input m,(k i,f(k i,m)) q i=1 ) receive m output ct = Encrypt(Pk,m ) Proposition: If a functionality F is PS then Semantic and Game-Based security coincide. Proof from [O Neil] Notice: converse does not seem to hold Cryptographic Proofs 22
23 Inner-Product is PS Sampler Sam: input: ( y i,b i ) q i=1, y i Z l n solve: y i, x = b i i = 1,...,q for x Z l n Corollary: The Okamato-Takashima construction for Inner Product is Semantically Secure. Cryptographic Proofs 23
24 Hidden Vector Encryption K = {0,1, } l and M = {0,1} l For y K and x M { 1, if for each i, y i = or x i = y i ; Match( y, x) = 0, otherwise; Examples y = (1,0,,0,1) x = (0,1,0,0,1) Match( y, x) = 0 y does not match x y = (0,1,,1,0) x = (0,1,0,1,0) Match( y, x) = 1 y matches x Cryptographic Proofs 24
25 If HVE is PS then 3SAT can be efficiently decided Let Sam be a sampler for HVE. Given Φ, m-clause n-variable formula in 3CNF, we can construct (( y 1,b 1 ),...,( y m,b m )) such that x = Sam(( y 1,b 1 ),...,( y m,b m )) is a satisfying truth assignment for Φ Cryptographic Proofs 25
26 If HVE is PS then 3SAT can be efficiently decided Φ = (x 1 x 2 x 3 ) ( x 1 x 3 x 5 ) (x 13 x 21 x 34 ) C 1 C 2 C m ( ) y 1 = n ( ) y 2 = n b 1 = 0 b 2 = 0. y m = ( n ) b m = 0 Cryptographic Proofs 26
27 If HVE is PS then 3SAT can be efficiently decided Let x = (x 1,...,x n ) be the output of Sam. Match( y 1, x) = 0 (x 1,x 2,x 3 ) (0,0,0) C 1 is satisfied Match( y 2, x) = 0 (x 1,x 3,x 5 ) (1,1,0) C 2 is satisfied Match( y m, x) = 0 (x 13,x 21,x 34 ) (0,1,0) C m is satisfied x satisfies Φ Cryptographic Proofs 27
28 IP implies HVE [KSW] There exist two poly-time reductions RMess, RTok: for all x {0,1} l and y {0,1, } l Match( y, x) = 1 iff RMess( x),rtok( yy) = 0 Notice: RMess( x),rtok( yy) Z 2l n Cryptographic Proofs 28
29 Semantically Secure HVE HVE.Setup(1 λ ) := IP.Setup(1 λ ) HVE.Encrypt(Pk, x) := IP.Encrypt(Pk, RMess( x)) HVE.KeyGen(Pk, y) := IP.KeyGen(Pk, RTok( y)) HVE.Test(Pk, Ct, Tok) := IP.Test(Pk, Ct, Tok) Simulator input: (Pk, m,( yy i,b i ) q i=1 ) run Sam for IP and obtain xx IP.Encrypt(Pk, xx) Cryptographic Proofs 29
30 Robust Predicate Encryption Informal: A Robust Predicate Encryption scheme for F : K M {0,1} is a tuple of 5 efficient and probabilistic algorithms: (Setup, KeyGen, Encrypt, Eval, Validate) s.t. Validate(Pk,Ct) = 1 implies m M s.t. 1 Ct = Encrypt(Pk, m) 2 for all k K, Test(Ct,Tok k ) = F(k,m) IP does not give Robust HVE Cryptographic Proofs 30
31 Robust Predicate Encryption Theorem If there exists a Semantically Secure Robust Predicate Encryption scheme for F : K M {0,1} then F is PS. Ideal world (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); Ct Sim(Pk, m,(k i,f(k i,m)) q i=1 ); α A 1 (Pk,Ct,aux); Output: (Pk,m,α) Ct = Encrypt(Pk,m ) Test(Tok ki,ct ) = F(k i,m ) A 0 keeps tokens in aux Test(Tok ki,ct ) = F(k i,m) F(k i,m) = F(k i,m ) PS is necessary and sufficient for Robust Predicate Encryption Cryptographic Proofs 31
32 Corollary If HVE has a Semantically Secure Robust Predicate Encryption scheme then 3SAT can be decided efficiently Notice: even for single message and token non-adaptive adversaries (A 1 does not ask for tokens). Cryptographic Proofs 32
33 What now? What now? 1 weaken the adversary 2 strengthen the simulator Cryptographic Proofs 33
34 HVE is 1-PS Sam(( y 1,1),...,( y q,1)) Observation: if y i1,j,y i2,j then y i1,j = y i2,j Corollary: Semantically Secure and Robust HVE for adversaries A 0 restricted to output x s.t. F( y i, x) = 1, i = 1,...,q Cryptographic Proofs 34
35 q-bounded adversaries (Setup, KeyGen, Encrypt, Eval) game-based secure w.r.t. to q-bounded adevrsaries for functionality: K set of n-input circuits, M = {0,1} n F(C,m) = C(m) Cryptographic Proofs 35
36 New functionality M = ({0,1} n { }) {0,1} n... {0,1} n } {{ } q times K = K {0,1} n 1, if m i = r for some i F ((C,r),(m,m 1,...,m q )) = 0, if m = C(m), otherwise For randomly chosen r,m 1,...,m q, F ((C,r),(m,m 1,...,m q )) = F(C,m) except with negligible probability Cryptographic Proofs 36
37 F is PS The sampler Sam input: ((C 1,r 1 ),b 1 ),...,((C q,r q ),b q ) output: m = (,m 1,...,m q ) { r i, if b i = 1 m i =, if b i = 0 Notice: i = 1,...,q. F ((C i,r i ),m) = b i Cryptographic Proofs 37
38 Giving more power to the Simulator Simulator gets the secret key No problem in [GM] Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); ct E(Pk,m); ct Sim(Pk,Sk, m,(k i,f(k i,m)) q i=1 ); α A 1 (pk,ct,aux); α A 1 (Pk,ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) Cryptographic Proofs 38
39 Simulator gets the secret key Robust Semantic Security for F does not imply F is PS Robust Semantically Secure HVE 1 Pk has a CRS 2 IP + NIZK that plaintext is from reduction on input x {0,1} l 3 Secret key has trapdoor for CRS 4 Simulator uses IP s sampler and fakes the NIZK proof Cryptographic Proofs 39
40 Giving more power to the Simulator Simulator gets the tokens Real world Ideal world (Pk,Sk) Setup(1 λ ); (Pk,Sk) Setup(1 λ ); (m,aux) A KeyGen(Sk, ) 0 (Pk); (m,aux) A KeyGen(Sk, ) 0 (Pk); ct E(Pk,m); ct Sim(Pk, m,(f(k i,m),tok i ) q i=1 ); α A 1 (pk,ct,aux); α A 1 (Pk,ct,aux); Output: (Pk,m,α) Output: (Pk,m,α) Cryptographic Proofs 40
41 Giving too much power to the Simulator F(k,m) = f k (m) where {f k } be a family of one-way trapdoor permutations. Setup(1 λ ) (k,τ k ) TPD.Gen(1 λ ) (pk,sk) PKE.Setup(1 λ ) Pk = (pk,k) Msk = (sk,τ k ) return (Pk, Msk) Encrypt(pk, m) return PKE.Encrypt(pk) KeyGen(k, Msk) return Msk Eval(Ct,Tok k ): (sk,τ k ) Tok k m = PKE.Decrypt(Ct, sk) return f k (m) Cryptographic Proofs 41
42 The simulator ct Sim(Pk, m,(f(k i,m),tok i ) q i=1 ) q = 0,1 if q = 0 Easy encrypt any message if q = 1 F(k,m) = f k (m) and Tok 1 = (sk,τ k ) get m from f k (m) and encrypt it Cryptographic Proofs 42
43 Thank you Cryptographic Proofs 43
44 References: Boneh, Sahai, Waters: Functional Encryption: Definitions and Challenges, TCC 2011 Unconditional impossibility results for multimessage and token adaptive O Neil: Definitional Issues in Functional Encryption, Cryptology eprint 2010/556 Pre-image Samplability Work in progress: Manuel Barbosa, Angelo De Caro, Pooya Farshim, Vincenzo Iovino, GP. Cryptographic Proofs 44
On the Achievability of Simulation-Based Security for Functional Encryption
On the Achievability of Simulation-Based Security for Functional Encryption Angelo De Caro 1, Vincenzo Iovino 2, Abhishek Jain 3, Adam O Neill 4, Omer Paneth 4, and Giuseppe Persiano 2 1 NTT Secure Platform
More informationMulti-Input Functional Encryption for Unbounded Arity Functions
Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was
More informationFunction Private Functional Encryption and Property Preserving Encryption : New Definitions and Positive Results
Function Private Functional Encryption and Property Preserving Encryption : New Definitions and Positive Results Shashank Agrawal Shweta Agrawal Saikrishna Badrinarayanan Abishek Kumarasubramanian Manoj
More informationBoosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data
Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it
More informationProfessor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California,
Professor Radha Poovendran EE Department, University of Washington, Seattle, WA & Professor Dawn Song EECS Department, University of California, Berkeley, CA 1 Summer School Objectives Exposure to current
More informationSecure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment
Secure Group Oriented Data Access Model with Keyword Search Property in Cloud Computing Environment Chih Hung Wang Computer Science and Information Engineering National Chiayi University Chiayi City 60004,
More informationSecure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve
Secure and Efficient Data Retrieval Process based on Hilbert Space Filling Curve N.S. Jeya karthikka PG Scholar Sri Ramakrishna Engg Collg S.Bhaggiaraj Assistant Professor Sri Ramakrishna Engg Collg V.Sumathy
More informationAn Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication
The 12th Australasian Conference on Information Security and Privacy (ACISP 07). (2 4 july 2007, Townsville, Queensland, Australia) J. Pieprzyk Ed. Springer-Verlag, LNCS????, pages??????. An Application
More informationAdaptively-Secure, Non-Interactive Public-Key Encryption
Adaptively-Secure, Non-Interactive Public-Key Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T.J. Watson Research Center, NY, USA. 2 Department of Computer Science, University of Maryland.
More informationNew Efficient Searchable Encryption Schemes from Bilinear Pairings
International Journal of Network Security, Vol.10, No.1, PP.25 31, Jan. 2010 25 New Efficient Searchable Encryption Schemes from Bilinear Pairings Chunxiang Gu and Yuefei Zhu (Corresponding author: Chunxiang
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationNEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA
THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica
More informationKeyword Search over Shared Cloud Data without Secure Channel or Authority
Keyword Search over Shared Cloud Data without Secure Channel or Authority Yilun Wu, Jinshu Su, and Baochun Li College of Computer, National University of Defense Technology, Changsha, Hunan, China Department
More informationVerifiable Outsourced Computations Outsourcing Computations to Untrusted Servers
Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz Abstract We propose simple and efficient CCA-secure public-key encryption schemes (i.e., schemes
More informationChallenges and Trends on Predicate Encryption A Better Searchable Encryption in Cloud
Challenges and rends on Predicate Encryption A Better Searchable Encryption in Cloud Liang Hu, Yuanmo Zhang, Hongtu Li, Yicheng Yu, Fangming Wu, and Jianfeng Chu Jilin University, Changchun 13001, China
More informationPublic Key Encryption that Allows PIR Queries
Public Key Encryption that Allows PIR Queries Dan Boneh Eyal Kushilevitz Rafail Ostrovsky William E Skeith III Appeared at CRYPTO 2007: 50-67 Abstract Consider the following problem: Alice wishes to maintain
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationConditional Encrypted Mapping and Comparing Encrypted Numbers
Conditional Encrypted Mapping and Comparing Encrypted Numbers Ian F. Blake 1 and Vladimir Kolesnikov 2 1 Dept. ECE, University of Toronto, Canada, ifblake@comm.utoronto.ca 2 Dept. Comp. Sci., University
More informationSearchable Symmetric Encryption: Improved Definitions and Efficient Constructions
Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Abstract Searchable symmetric encryption (SSE) allows a party to
More informationBRICS. Improved Non-Committing Encryption Schemes based on a General Complexity Assumption
BRICS Basic Research in Computer Science BRICS RS-00-6 Damgård & Nielsen: Improved Non-Committing Encryption Schemes Improved Non-Committing Encryption Schemes based on a General Complexity Assumption
More informationSeparations in Circular Security for Arbitrary Length Key Cycles. Venkata Koppula! Kim Ramchen! Brent Waters
Separations in Circular Security for Arbitrary Length Key Cycles Venkata Koppula! Kim Ramchen! Brent Waters Circular Security Circular Security Circular Security Choose pk, sk! Encrypt using pk! Circular
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationSemantic Security for the McEliece Cryptosystem without Random Oracles
Semantic Security for the McEliece Cryptosystem without Random Oracles Ryo Nojima 1, Hideki Imai 23, Kazukuni Kobara 3, and Kirill Morozov 3 1 National Institute of Information and Communications Technology
More informationPost-Quantum Cryptography #4
Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack
More informationPublic Key Encryption with keyword Search
Public Key Encryption with keyword Search Dan Boneh Stanford University Giovanni Di Crescenzo Telcordia Rafail Ostrovsky Giuseppe Persiano UCLA Università di Salerno Abstract We study the problem of searching
More informationNon-interactive and Reusable Non-malleable Commitment Schemes
Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the
More informationMESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC
MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationPublic Key Encryption with Keyword Search Revisited
Public Key Encryption with Keyword Search Revisited Joonsang Baek, Reihaneh Safiavi-Naini,Willy Susilo University of Wollongong Northfields Avenue Wollongong NSW 2522, Australia Abstract The public key
More informationIdentity-Based Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationSecure Conjunctive Keyword Search Over Encrypted Data
Secure Conjunctive Keyword Search Over Encrypted Data Philippe Golle 1 and Jessica Staddon 1 and Brent Waters 2 1 Palo Alto Research Center 3333 Coyote Hill Road Palo Alto, CA 94304, USA E-mail: {pgolle,staddon}@parc.com
More informationNon-Black-Box Techniques In Crytpography. Thesis for the Ph.D degree Boaz Barak
Non-Black-Box Techniques In Crytpography Introduction Thesis for the Ph.D degree Boaz Barak A computer program (or equivalently, an algorithm) is a list of symbols a finite string. When we interpret a
More informationAnalysis of Privacy-Preserving Element Reduction of Multiset
Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul
More informationSecure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data
Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data V.Abinaya PG Scholar Kalasalingam Institute of Technology Krishnankoil. V.Ramesh Assistant professor Kalasalingam
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationHierarchical Group Signatures
Hierarchical Group Signatures Mårten Trolin and Douglas Wikström March 22, 2005 Abstract We introduce the notion of hierarchical group signatures. This is a proper generalization of group signatures, which
More informationNon-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions
Non-Interactive CCA-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions Benoît Libert 1 and Moti Yung 2 1 Université catholique de Louvain, ICTEAM Institute (Belgium)
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More informationPrivacy in Encrypted Content Distribution Using Private Broadcast Encryption
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption Adam Barth 1, Dan Boneh 1, and Brent Waters 2 1 Stanford University, Stanford, CA 94305 {abarth, dabo}@cs.stanford.edu 2 SRI
More informationMACs Message authentication and integrity. Table of contents
MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Dan Boneh Ran Canetti Shai Halevi Jonathan Katz June 13, 2006 Abstract We propose simple and efficient CCA-secure public-key encryption schemes
More informationEfficient File Sharing in Electronic Health Records
Efficient File Sharing in Electronic Health Records Clémentine Gritti, Willy Susilo and Thomas Plantard University of Wollongong, Australia 27/02/2015 1/20 Outline for Section 1 1 Introduction 2 Solution
More informationLoss Less and Privacy Preserved Data Retrieval in Cloud Environment using TRSE
I.J. Wireless and Microwave Technologies, 2015, 6, 19-25 Published Online November 2015 in MECS(http://www.mecs-press.net) DOI: 10.5815/ijwmt.2015.06.03 Available online at http://www.mecs-press.net/ijwmt
More informationSecure Large-Scale Bingo
Secure Large-Scale Bingo Antoni Martínez-Ballesté, Francesc Sebé and Josep Domingo-Ferrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E-43007 Tarragona,
More informationRanked Search over Encrypted Cloud Data using Multiple Keywords
Ranked Search over Encrypted Cloud Data using Multiple Keywords [1] Nita Elizabeth Samuel, [2] Revathi B. R, [3] Sangeetha.M, [4] SreelekshmySelvin, [5] Dileep.V.K [1][2][3][4] LBS Institute of Technology
More informationTrading Static for Adaptive Security in Universally Composable Zero-Knowledge
Trading Static for Adaptive Security in Universally Composable Zero-Knowledge Aggelos Kiayias and Hong-Sheng Zhou Computer Science and Engineering University of Connecticut Storrs, CT, USA {aggelos,hszhou}@cse.uconn.edu
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationExperiments in Encrypted and Searchable Network Audit Logs
Experiments in Encrypted and Searchable Network Audit Logs Bhanu Prakash Gopularam Cisco Systems India Pvt. Ltd Nitte Meenakshi Institute of Technology Email: bhanprak@cisco.com Sashank Dara Cisco Systems
More informationControlled Functional Encryption
Controlled Functional Encryption Muhammad Naveed 1, Shashank Agrawal 1, Manoj Prabhakaran 1, Xiaofeng Wang 2, Erman Ayday 3, Jean-Pierre Hubaux 3 and Carl A. Gunter 1 1 University of Illinois at Urbana-Champaign
More informationLecture 2 August 29, 13:40 15:40
Lecture 2 August 29, 13:40 15:40 Public-key encryption with keyword search Anonymous identity-based encryption Identity-based encryption with wildcards Public-key encryption with keyword search & anonymous
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationLecture 3: One-Way Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationRSA OAEP is Secure under the RSA Assumption
This is a revised version of the extended abstract RSA OAEP is Secure under the RSA Assumption which appeared in Advances in Cryptology Proceedings of CRYPTO 2001 (19 23 august 2001, Santa Barbara, California,
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationHow to Run Turing Machines on Encrypted Data
How to Run Turing Machines on Encrypted Data Shafi Goldwasser Yael Kalai Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich MIT CSAIL Microsoft Research University of Toronto Abstract. Algorithms
More informationPrivate Inference Control For Aggregate Database Queries
Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of
More informationLecture 17: Re-encryption
600.641 Special Topics in Theoretical Cryptography April 2, 2007 Instructor: Susan Hohenberger Lecture 17: Re-encryption Scribe: Zachary Scott Today s lecture was given by Matt Green. 1 Motivation Proxy
More informationAuthenticated encryption
Authenticated encryption Dr. Enigma Department of Electrical Engineering & Computer Science University of Central Florida wocjan@eecs.ucf.edu October 16th, 2013 Active attacks on CPA-secure encryption
More informationUniversal Padding Schemes for RSA
Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com
More informationMulti-Input Functional Encryption
Multi-Input Functional Encryption Shafi Goldwasser Vipul Goyal Abhishek Jain Amit Sahai Abstract We introduce the problem of Multi-Input Functional Encryption, where a secret key SK f can correspond to
More informationHosting Services on an Untrusted Cloud
Hosting Services on an Untrusted Cloud Dan Boneh 1(B), Divya Gupta 2, Ilya Mironov 3, and Amit Sahai 2 1 Stanford University, Stanford, CA, USA dabo@cs.stanford.edu 2 UCLA and Center for Encrypted Functionalities,
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationEnforcing Role-Based Access Control for Secure Data Storage in the Cloud
The Author 211. Published by Oxford University Press on behalf of The British Computer Society. All rights reserved. For Permissions please email: journals.permissions@oup.com Advance Access publication
More informationIdentity-Based Encryption from Lattices in the Standard Model
Identity-Based Encryption from Lattices in the Standard Model Shweta Agrawal and Xavier Boyen Preliminary version July 20, 2009 Abstract. We construct an Identity-Based Encryption (IBE) system without
More informationMaple: Scalable Multi-Dimensional Range Search over Encrypted Cloud Data with Tree-based Index
Maple: Scalable Multi-Dimensional Range Search over Encrypted Cloud Data with Tree-based Index Boyang Wang Dept. of Computer Science Utah State University Logan, UT, 84322 xd.bywang@gmail.com Haitao Wang
More informationTalk announcement please consider attending!
Talk announcement please consider attending! Where: Maurer School of Law, Room 335 When: Thursday, Feb 5, 12PM 1:30PM Speaker: Rafael Pass, Associate Professor, Cornell University, Topic: Reasoning Cryptographically
More informationSecure Single Sign-on Schemes Constructed from Nominative Signatures
Secure Single Sign-on Schemes Constructed from Nominative Signatures Jingquan Wang, Guilin Wang, and Willy Susilo Center for Computer and Information Security Research School of Computer Science and Software
More informationEnabling Protection and Well-Organized MRSE over Encrypted Cloud Data Using CP-ABE
Enabling Protection and Well-Organized MRSE over Encrypted Cloud Data Using CP-ABE Revathy B.D #1, Tejaswini.B #2, Abstract By means of the new arrival of cloud computing, data proprietors are provoked
More informationPrivacy Preserving Data Analytics as an Outsourced Service
Privacy Preserving Data Analytics as an Outsourced Service Florian Kerschbaum SAP Research Karlsruhe, Germany florian.kerschbaum@sap.com Julien Vayssière SAP Research Brisbane, Australia julien.vayssiere@sap.com
More informationVerifiable Functional Encryption
Verifiable Functional Encryption Saikrishna Badrinarayanan Vipul Goyal Aayush Jain Amit Sahai Abstract In light of security challenges that have emerged in a world with complex networks and cloud computing,
More informationA Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem
A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.
More information1 Domain Extension for MACs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Reading. Lecture Notes 17: MAC Domain Extension & Digital Signatures Katz-Lindell Ÿ4.34.4 (2nd ed) and Ÿ12.0-12.3 (1st ed).
More informationVERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION
VERIFIABLE SEARCHABLE SYMMETRIC ENCRYPTION BY ZACHARY A. KISSEL B.S. MERRIMACK COLLEGE (2005) M.S. NORTHEASTERN UNIVERSITY (2007) SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF
More informationChosen-Ciphertext Security from Identity-Based Encryption
Chosen-Ciphertext Security from Identity-Based Encryption Ran Canetti 1, Shai Halevi 1, and Jonathan Katz 2 1 IBM T. J. Watson Research Center, Hawthorne, NY. {canetti,shaih}@watson.ibm.com 2 Dept. of
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationHow To Create A Multi-Keyword Ranked Search Over Encrypted Cloud Data (Mrse)
JJT-029-2015 SEARCHABLE SYMMETRIC ENCRYPTION METHOD FOR ENCRYPTED DATA IN CLOUD P.Vidyasagar, R.Karthikeyan, Dr.C.Nalini M.Tech Student, Dept of CSE,Bharath University, Email.Id: vsagarp@rediffmail.com
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationBlank Digital Signatures
Blank Digital Signatures Christian Hanser and Daniel Slamanig Institute for Applied Information Processing and Communications (IAIK), Graz University of Technology (TUG), Inffeldgasse 16a, 8010 Graz, Austria
More informationDigital Signatures. What are Signature Schemes?
Digital Signatures Debdeep Mukhopadhyay IIT Kharagpur What are Signature Schemes? Provides message integrity in the public key setting Counter-parts of the message authentication schemes in the public
More informationPart 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext
Part 2 Plaintext M Encrypt with public key E(M, K) Ciphertext Plaintext M D(E(M, K),K ) Decrypt with private key E(M, K) Public and private key related mathematically Public key can be published; private
More informationA Method for Making Password-Based Key Exchange Resilient to Server Compromise
A Method for Making Password-Based Key Exchange Resilient to Server Compromise Craig Gentry 1, Philip MacKenzie 2, and Zulfikar Ramzan 3 1 Stanford University, Palo Alto, CA, USA, cgentry@cs.stanford.edu
More informationComputing on Encrypted Data
Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy
More informationDepartment Informatik. Privacy-Preserving Email Forensics. Technical Reports / ISSN 2191-5008. Frederik Armknecht, Andreas Dewald
Department Informatik Technical Reports / ISSN 2191-5008 Frederik Armknecht, Andreas Dewald Privacy-Preserving Email Forensics Technical Report CS-2015-03 April 2015 Please cite as: Frederik Armknecht,
More informationEntangled Encodings and Data Entanglement
An extended abstract of this paper is published in the proceedings of the 3rd International Workshop on Security in Cloud Computing SCC@AsiaCCS 2015. This is the full version. Entangled Encodings and Data
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationParallel and Dynamic Searchable Symmetric Encryption
Parallel and Dynamic Searchable Symmetric Encryption Seny Kamara 1 and Charalampos Papamanthou 2 1 Microsoft Research, senyk@microsoft.com 2 UC Berkeley, cpap@cs.berkeley.edu Abstract. Searchable symmetric
More informationSecurity of Blind Digital Signatures
Security of Blind Digital Signatures (Revised Extended Abstract) Ari Juels 1 Michael Luby 2 Rafail Ostrovsky 3 1 RSA Laboratories. Email: ari@rsa.com. 2 Digital Fountain 3 UCLA, Email: rafail@cs.ucla.edu.
More informationRecongurable Cryptography: A exible approach to long-term security
Recongurable Cryptography: A exible approach to long-term security Julia Hesse and Dennis Hofheinz and Andy Rupp Karlsruhe Institute of Technology, Germany {julia.hesse, dennis.hofheinz, andy.rupp}@kit.edu
More informationSecure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud
1 Secure and Verifiable Policy Update Outsourcing for Big Data Access Control in the Cloud Kan Yang Associate Member IEEE Xiaohua Jia Fellow IEEE Kui Ren Senior Member IEEE Abstract Due to the high volume
More informationProofs in Cryptography
Proofs in Cryptography Ananth Raghunathan Abstract We give a brief overview of proofs in cryptography at a beginners level. We briefly cover a general way to look at proofs in cryptography and briefly
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key
More informationBig Data - Security and Privacy
Big Data - Security and Privacy Elisa Bertino CS Department, Cyber Center, and CERIAS Purdue University Cyber Center! Big Data EveryWhere! Lots of data is being collected, warehoused, and mined Web data,
More informationChapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes
Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret
More informationLecture 15 - Digital Signatures
Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationA Secure Data Deduplication Scheme for Cloud Storage. Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl
RZ 3852 (# ZUR1308-022) 09/05/2013 Computer Science 26 pages Research Report A Secure Data Deduplication Scheme for Cloud Storage Jan Stanek, Alessandro Sorniotti*, Elli Androulaki*, Lukas Kencl Czech
More informationPrivate Searching On Streaming Data
Journal of Cryptology, Volume 20:4, pp. 397-430, October 2007. 1 Private Searching On Streaming Data Rafail Ostrovsky William E. Skeith III Abstract In this paper, we consider the problem of private searching
More informationData management using Virtualization in Cloud Computing
Data management using Virtualization in Cloud Computing A.S.R. Krishna Kanth M.Tech (CST), Department of Computer Science & Systems Engineering, Andhra University, India. M.Sitha Ram Research Scholar Department
More information