In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy re-encryption, in which a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure re-encryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the wide-spread adoption of BBS re-encryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new re-encryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy reencryption as a method of adding access control to the SFS read-only file system. Performance measurements of our experimental file system demonstrate that proxy re-encryption can work effectively in practice.

We consider the problem of finding public-key digital signature schemes with a transitive-closure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, w) then Bob (or anyone) can derive from those two signatures Alice's signature on the edge (u, w). We present an efficient solution for undirected graphs, and leave the case for directed graphs as an open problem.

. We present a scheme for quorum controlled asymmetric proxy re-encryption, with uses ranging from efficient key distribution for pay-tv to email applications. We prove that the scheme, which is based on ElGamal encryption, leaks no information as long as there is no dishonest quorum of proxy servers. Of potential independent interest is a method providing publicly verifiable translation certificates, proving that the input and output encryptions correspond to the same plaintext message, without leaking any information about the plaintext to either the verifier or a subset of the servers of the prover. The size of the certificate is small, and independent of the number of prover servers. Keywords: asymmetric proxy re-encryption, translation certificate, El Gamal encryption, quorum control, robustness, privacy. 1 Introduction With an increasing importance of encryption methods for privacy and protection of business secrets, and with an increasing need for a flexible infrast...

It is often necessary for two or more or more parties that do not fully trust each other to selectively share data. We propose a search scheme based on Bloom filters and Pohlig-Hellman encryption. A semi-trusted third party can transform one party's search queries to a form suitable for querying the other party's database, in such a way that neither the third party nor the database owner can see the original query. Furthermore, the encryption keys used to construct the Bloom filters are not shared with this third party. Provision can be made for thirdparty "warrant servers", as well as "censorship sets" that limit the data to be shared.

In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein. 1

In a proxy re-encryption scheme a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the public-key setting. In this paper, we address the problem of Identity-Based proxy re-encryption, where ciphertexts are transformed from one identity to another. Our schemes are compatible with current IBE deployments and do not require any extra work from the IBE trusted-party key generator. In addition, they are non-interactive and one of them permits multiple re-encryptions. Their security is based on a standard assumption (DBDH) in the random oracle model.

. After many years, cryptography is coming to the Internet. Some protocols are in common use; more are being developed and deployed. The major issue has been one of cryptographic engineering : turning academic papers into a secure, implementable specification. But there is missing science as well, especially when it comes to efficient implementation techniques. 1 Introduction In early 1994, CERT announced 1 that widespread password monitoring was occuring on the Internet. In 1995, Joncheray published a paper explaining how an eavesdropper could hijack a TCP connection [Jon95]. In mid-1998, there is still very little use of cryptography. Finally, though, there is some reason for optimism. A number of factors have combined to change people's behavior. First, of course, there is the rise of the Internet as a mass medium, and along with it the rise of Internet commerce. Consider the following quote from a popular Web site: How does ------.com protect my credit card if I order online? --...

Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy re-encryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosen-ciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy re-encryption schemes with chosen-ciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the Canetti-Hohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as non-interactive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the Canetti-Hohenberger scheme, they meet a relaxed flavor of chosen-ciphertext security introduced by Canetti, Krawczyk and Nielsen. 1

With Hidden Credentials Alice can send policyencrypted data to Bob in such a way that he can decrypt the data only with the right combination of credentials. Alice gains no knowledge of Bob’s credentials in the process, and hence the name “Hidden Credentials. ” Research on Hidden Credential systems has focused on messages sent to single recipients, where the sender needs to know the recipient’s pseudonym beforehand, and on Hidden Policies, where Bob learns as little information as possible about Alice’s policy for decrypting the message. Current schemes provide weak policy privacy — with non-interactive schemes, the recipient can learn parts of the policy, and with interactive schemes based on secure multiparty computation, a user can try different sets of credentials as input to gain knowledge of the policy after repeated decryption attempts. Furthermore, existing schemes do not support policies with negations efficiently. For example, a policy stating “Bob is not a student ” is hard to enforce since Bob can simply withhold, or not use, his student credential. We propose a system called PEAPOD (Privacy-Enhanced Attribute-based Publishing Of Data) that provides the following properties: (1) Users can securely publish data protected by attribute-based policies to multiple possible recipients without requiring interaction between senders and receivers. This is achieved by using a semitrusted server. (2) The plaintext message and the policy are completely hidden from the server. (3) Any recipient, intended or not, learns no other information about a message’s policy beyond the number of clauses in policy that were satisfied. Furthermore the recipient is forced to use all of his or her issued credentials for decryption, and therefore cannot mount inference attacks by trying to decrypt the

We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to well-known impossibility results [3] for general obfuscation and recent impossibility and improbability [13] results for obfuscation of many cryptographic functionalities. Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complex and widely-used re-encryption functionality. This functionality takes a ciphertext for message m encrypted under Alice’s public key and transforms it into a ciphertext for the same message m under Bob’s public key. To overcome impossibility results and to make our results meaningful for cryptographic functionalities, our scheme satisfies a definition of obfuscation which incorporates more security-aware provisions.