Results 1  10
of
69
Fully homomorphic encryption using ideal lattices
 In Proc. STOC
, 2009
"... We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitra ..."
Abstract

Cited by 267 (11 self)
 Add to MetaCart
We propose a fully homomorphic encryption scheme – i.e., a scheme that allows one to evaluate circuits over encrypted data without being able to decrypt. Our solution comes in three steps. First, we provide a general result – that, to construct an encryption scheme that permits evaluation of arbitrary circuits, it suffices to construct an encryption scheme that can evaluate (slightly augmented versions of) its own decryption circuit; we call a scheme that can evaluate its (augmented) decryption circuit bootstrappable. Next, we describe a public key encryption scheme using ideal lattices that is almost bootstrappable. Latticebased cryptosystems typically have decryption algorithms with low circuit complexity, often dominated by an inner product computation that is in NC1. Also, ideal lattices provide both additive and multiplicative homomorphisms (modulo a publickey ideal in a polynomial ring that is represented as a lattice), as needed to evaluate general circuits. Unfortunately, our initial scheme is not quite bootstrappable – i.e., the depth that the scheme can correctly evaluate can be logarithmic in the lattice dimension, just like the depth of the decryption circuit, but the latter is greater than the former. In the final step, we show how to modify the scheme to reduce the depth of the decryption circuit, and thereby obtain a bootstrappable encryption scheme, without reducing the depth that the scheme can evaluate. Abstractly, we accomplish this by enabling the encrypter to start the decryption process, leaving less work for the decrypter, much like the server leaves less work for the decrypter in a serveraided cryptosystem.
Improved proxy reencryption schemes with applications to secure distributed storage
 IN NDSS
, 2005
"... In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popu ..."
Abstract

Cited by 92 (15 self)
 Add to MetaCart
In 1998, Blaze, Bleumer, and Strauss proposed an application called atomic proxy reencryption, in which a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. We predict that fast and secure reencryption will become increasingly popular as a method for managing encrypted file systems. Although efficiently computable, the widespread adoption of BBS reencryption has been hindered by considerable security risks. Following recent work of Ivan and Dodis, we present new reencryption schemes that realize a stronger notion of security and we demonstrate the usefulness of proxy reencryption as a method of adding access control to the SFS readonly file system. Performance measurements of our experimental file system demonstrate that proxy reencryption can work effectively in practice.
Transitive Signature Schemes
 IN PROCEEDINGS OF RSA 2002, VOLUME 2271 OF LNCS
, 2002
"... We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, ..."
Abstract

Cited by 50 (8 self)
 Add to MetaCart
We consider the problem of finding publickey digital signature schemes with a transitiveclosure property for signing the vertices and edges of a (directed or undirected) finite graph. More precisely, we want the property that if Alice has signed edge (u, v) and she has also signed the edge (v, w) then Bob (or anyone) can derive from those two signatures Alice's signature on the edge (u, w). We present an efficient solution for undirected graphs, and leave the case for directed graphs as an open problem.
ChosenCiphertext Secure Proxy ReEncryption
 In Proc. of ACMCCS’007
, 2007
"... In a proxy reencryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have ma ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
In a proxy reencryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed reencryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear DiffieHellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a gamebased definition and simulationbased definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCAsecure PRE, discussed herein. 1
PrivacyEnhanced Searches Using Encrypted Bloom Filters
, 2004
"... It is often necessary for two or more or more parties that do not fully trust each other to selectively share data. We propose a search scheme based on Bloom filters and PohligHellman encryption. A semitrusted third party can transform one party's search queries to a form suitable for querying the ..."
Abstract

Cited by 27 (1 self)
 Add to MetaCart
It is often necessary for two or more or more parties that do not fully trust each other to selectively share data. We propose a search scheme based on Bloom filters and PohligHellman encryption. A semitrusted third party can transform one party's search queries to a form suitable for querying the other party's database, in such a way that neither the third party nor the database owner can see the original query. Furthermore, the encryption keys used to construct the Bloom filters are not shared with this third party. Provision can be made for thirdparty "warrant servers", as well as "censorship sets" that limit the data to be shared.
Identitybased proxy reencryption
 In ACNS ’07
, 2007
"... In a proxy reencryption scheme a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the publickey setting. In this paper, we address the problem of IdentityBased proxy reencryption, whe ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
In a proxy reencryption scheme a semitrusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the publickey setting. In this paper, we address the problem of IdentityBased proxy reencryption, where ciphertexts are transformed from one identity to another. Our schemes are compatible with current IBE deployments and do not require any extra work from the IBE trustedparty key generator. In addition, they are noninteractive and one of them permits multiple reencryptions. Their security is based on a standard assumption (DBDH) in the random oracle model.
On Quorum Controlled Asymmetric Proxy Reencryption
 In Proceedings of Public Key Cryptography
, 1999
"... . We present a scheme for quorum controlled asymmetric proxy reencryption, with uses ranging from efficient key distribution for paytv to email applications. We prove that the scheme, which is based on ElGamal encryption, leaks no information as long as there is no dishonest quorum of proxy se ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
. We present a scheme for quorum controlled asymmetric proxy reencryption, with uses ranging from efficient key distribution for paytv to email applications. We prove that the scheme, which is based on ElGamal encryption, leaks no information as long as there is no dishonest quorum of proxy servers. Of potential independent interest is a method providing publicly verifiable translation certificates, proving that the input and output encryptions correspond to the same plaintext message, without leaking any information about the plaintext to either the verifier or a subset of the servers of the prover. The size of the certificate is small, and independent of the number of prover servers. Keywords: asymmetric proxy reencryption, translation certificate, El Gamal encryption, quorum control, robustness, privacy. 1 Introduction With an increasing importance of encryption methods for privacy and protection of business secrets, and with an increasing need for a flexible infrast...
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
Cryptography and the Internet
 in Proceedings of CRYPTO ’98
, 1998
"... . After many years, cryptography is coming to the Internet. Some protocols are in common use; more are being developed and deployed. The major issue has been one of cryptographic engineering : turning academic papers into a secure, implementable specification. But there is missing science as well, e ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
. After many years, cryptography is coming to the Internet. Some protocols are in common use; more are being developed and deployed. The major issue has been one of cryptographic engineering : turning academic papers into a secure, implementable specification. But there is missing science as well, especially when it comes to efficient implementation techniques. 1 Introduction In early 1994, CERT announced 1 that widespread password monitoring was occuring on the Internet. In 1995, Joncheray published a paper explaining how an eavesdropper could hijack a TCP connection [Jon95]. In mid1998, there is still very little use of cryptography. Finally, though, there is some reason for optimism. A number of factors have combined to change people's behavior. First, of course, there is the rise of the Internet as a mass medium, and along with it the rise of Internet commerce. Consider the following quote from a popular Web site: How does .com protect my credit card if I order online? ...
Securely Obfuscating Reencryption
 Theory of Cryptography Conference TCC
, 2007
"... We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to wellknown impossibility results [3] for general obfuscation and recent impossibility and improbability [13] results for obfuscation of many cryptographic functionalitie ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
We present a positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to wellknown impossibility results [3] for general obfuscation and recent impossibility and improbability [13] results for obfuscation of many cryptographic functionalities. Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complex and widelyused reencryption functionality. This functionality takes a ciphertext for message m encrypted under Alice’s public key and transforms it into a ciphertext for the same message m under Bob’s public key. To overcome impossibility results and to make our results meaningful for cryptographic functionalities, our scheme satisfies a definition of obfuscation which incorporates more securityaware provisions.