Results 1  10
of
37
Functional Encryption: Definitions and Challenges
"... We initiate the formal study of functional encryption by giving precise definitions of the concept and its security. Roughly speaking, functional encryption supports restricted secret keys that enable a key holder to learn a specific function of encrypted data, but learn nothing else about the data. ..."
Abstract

Cited by 110 (17 self)
 Add to MetaCart
We initiate the formal study of functional encryption by giving precise definitions of the concept and its security. Roughly speaking, functional encryption supports restricted secret keys that enable a key holder to learn a specific function of encrypted data, but learn nothing else about the data. For example, given an encrypted program the secret key may enable the key holder to learn the output of the program on a specific input without learning anything else about the program. We show that defining security for functional encryption is nontrivial. First, we show that a natural gamebased definition is inadequate for some functionalities. We then present a natural simulationbased definition and show that it (provably) cannot be satisfied in the standard model, but can be satisfied in the random oracle model. We show how to map many existing concepts to our formalization of functional encryption and conclude with several interesting open problems in this young area.
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation
"... In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange ..."
Abstract

Cited by 32 (6 self)
 Add to MetaCart
In this work, we show how to use indistinguishability obfuscation (iO) to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before: • Our multiparty noninteractive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users. • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users. • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secretkey size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy. • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext. Our proof of security for private broadcast encryption and traitor tracing introduces a new tool for iO proofs: the construction makes use of a keyhomomorphic symmetric cipher which plays a crucial role in the proof of security.
Achieving Short Ciphertexts or Short SecretKeys for Adaptively Secure General InnerProduct Encryption ∗
, 2012
"... In this paper, we present two nonzero innerproduct encryption (NIPE) schemes that are adaptively secure under a standard assumption, the decisional linear (DLIN) assumption, in the standard model. One of the proposed NIPE schemes features constantsize ciphertexts and the other features constants ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
In this paper, we present two nonzero innerproduct encryption (NIPE) schemes that are adaptively secure under a standard assumption, the decisional linear (DLIN) assumption, in the standard model. One of the proposed NIPE schemes features constantsize ciphertexts and the other features constantsize secretkeys. Our NIPE schemes imply an identitybased revocation (IBR) system with constantsize ciphertexts or constantsize secretkeys that is adaptively secure under the DLIN assumption. Any previous IBR scheme with constantsize ciphertexts or constantsize secretkeys was not adaptively secure in the standard model. This paper also presents two zero innerproduct encryption (ZIPE) schemes each of which has constantsize ciphertexts or constantsize secretkeys and is adaptively secure under the DLIN assumption in the standard model. They imply an identitybased broadcast encryption (IBBE) system with constantsize ciphertexts or constantsize secretkeys that is adaptively secure under the DLIN assumption. We also extend the proposed ZIPE schemes into two directions, one is a fullyattributehiding ZIPE scheme with constantsize secretkeys,
Building Efficient Fully CollusionResilient Traitor Tracing and Revocation Schemes
"... Abstract. In [8, 9] Boneh et al. presented the first fully collusionresistant traitor tracing and trace & revoke schemes. These schemes are based on composite order bilinear groups and their security depends on the hardness of the subgroup decision assumption. In this paper we present new, effi ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In [8, 9] Boneh et al. presented the first fully collusionresistant traitor tracing and trace & revoke schemes. These schemes are based on composite order bilinear groups and their security depends on the hardness of the subgroup decision assumption. In this paper we present new, efficient trace & revoke schemes which are based on prime order bilinear groups, and whose security depend on the hardness of the Decisional Linear Assumption or the External DiffieHellman (XDH) assumption. This allows our schemes to be flexible and thus much more efficient than existing schemes in terms a variety of parameters including ciphertext size, encryption time, and decryption time. For example, if encryption time was the major parameter of concern, then for the same level of practical security as [8] our scheme encrypts 6 times faster. Decryption is 10 times faster. The ciphertext size in our scheme is 50 % less when compared to [8]. We provide the first implementations of efficient fully collusionresilient traitor tracing and trace & revoke schemes. The ideas used in this paper can be used to make other cryptographic schemes based on composite order bilinear groups efficient as well. 1
Towards BlackBox Accountable Authority IBE with Short Ciphertexts and Private Keys
, 2008
"... Abstract. At Crypto’07, Goyal introduced the concept of Accountable Authority IdentityBased Encryption as a convenient tool to reduce the amount of trust in authorities in IdentityBased Encryption. In this model, if the Private Key Generator (PKG) maliciously redistributes users’ decryption keys, ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Abstract. At Crypto’07, Goyal introduced the concept of Accountable Authority IdentityBased Encryption as a convenient tool to reduce the amount of trust in authorities in IdentityBased Encryption. In this model, if the Private Key Generator (PKG) maliciously redistributes users’ decryption keys, it runs the risk of being caught and prosecuted. Goyal proposed two constructions: the first one is efficient but can only trace wellformed decryption keys to their source; the second one allows tracing obfuscated decryption boxes in a model (called weak blackbox model) where cheating authorities have no decryption oracle. The latter scheme is unfortunately far less efficient in terms of decryption cost and ciphertext size. In this work, we propose a new construction that combines the efficiency of Goyal’s first proposal with a very simple weak blackbox tracing mechanism. Our scheme is described in the selectiveID model but readily extends to meet all security properties in the adaptiveID sense, which is not known to be true for prior blackbox schemes. Keywords. Identitybased encryption, traceability, efficiency. 1
Low Overhead Broadcast Encryption from Multilinear Maps
"... We use multilinear maps to provide a solution to the longstanding problem of publickey broadcast encryption where all parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are all polylogarithmic in the total number of users. The syst ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
We use multilinear maps to provide a solution to the longstanding problem of publickey broadcast encryption where all parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are all polylogarithmic in the total number of users. The systems are fully secure against any number of colluders. All our systems are based on an O(logN)way multilinear map to support a broadcast system for N users. We present three constructions based on different types of multilinear maps and providing different security guarantees. Our systems naturally give identitybased broadcast systems with short parameters. 1
OutsiderAnonymous Broadcast Encryption with Sublinear Ciphertexts
"... Abstract. In the standard setting of broadcast encryption, information about the receivers is transmitted as part of the ciphertext. In several broadcast scenarios, however, the identities of the users authorized to access the content are often as sensitive as the content itself. In this paper, we p ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In the standard setting of broadcast encryption, information about the receivers is transmitted as part of the ciphertext. In several broadcast scenarios, however, the identities of the users authorized to access the content are often as sensitive as the content itself. In this paper, we propose the first broadcast encryption scheme with sublinear ciphertexts to attain meaningful guarantees of receiver anonymity. We formalize the notion of outsideranonymous broadcast encryption (oABE), and describe generic constructions in the standard model that achieve outsideranonymity under adaptive corruptions in the chosenplaintext and chosenciphertext settings. We also describe two constructions with enhanced decryption, one under the gap DiffieHellman assumption, in the random oracle model, and the other under the decisional DiffieHellman assumption, in the standard model.
Evaluating Predicates over Encrypted Data
, 2008
"... CMU Collaborative Research Laboratory, and by a gift from Bosch. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of ARO, Bosch, CMU, GM, NSF, or the Predicate ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
CMU Collaborative Research Laboratory, and by a gift from Bosch. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either express or implied, of ARO, Bosch, CMU, GM, NSF, or the Predicate encryption is a new encryption paradigm where the secret key owner can perform finegrained access control over the encrypted data. In particular, the secret key owner can generate a capability corresponding to a query predicate (e.g., whether an encrypted email contains the keyword MEDICAL), and the capability allows one to evaluate the outcome of this predicate on the encrypted data. The highlevel goal of this thesis is to build predicate encryption systems that are efficient, support expressive queries and rich operations. Our contributions are summarized below: 1. We propose a predicate encryption scheme supporting multidimensional range queries. Prior to this work, researchers have constructed schemes support equality tests. Hence, our scheme supports more expressive queries than before. At
Adaptively secure broadcast encryption with small system parameters
 IACR Cryptology ePrint Archive
"... mzhandry.stanford.edu We build the first publickey broadcast encryption system that simultaneously achieves adaptive security against arbitrary number of colluders, has small system parameters, and has a security proof based on noninteractive falsifiable assumptions. Our scheme is built from compo ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
mzhandry.stanford.edu We build the first publickey broadcast encryption system that simultaneously achieves adaptive security against arbitrary number of colluders, has small system parameters, and has a security proof based on noninteractive falsifiable assumptions. Our scheme is built from composite order multilinear maps and enjoys a ciphertext overhead, private key size, and public key size that are are all polylogarithmic in the total number of users. Previous broadcast schemes with similar parameters are either proven secure in a weaker static model, or rely on powerful tools such as program obfuscation and involve nonfalsifiable assumptions. 1
Efficient IdentityBased Broadcast Encryption without Random Oracles
 Journal of Computers
, 2010
"... Abstract — We propose a new efficient identitybased broadcast encryption scheme without random oracles and prove that it achieves selective identity, chosen plaintext security. Our scheme is constructed based on bilinear DiffieHellman inversion assumption and it is a good efficient hybrid encrypti ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract — We propose a new efficient identitybased broadcast encryption scheme without random oracles and prove that it achieves selective identity, chosen plaintext security. Our scheme is constructed based on bilinear DiffieHellman inversion assumption and it is a good efficient hybrid encryption scheme, which achieves O(1)size ciphertexts, public parameters and constant size private keys. In our scheme, either ciphertexts or public parameters has no relation with the number of receivers, moreover, both the encryption and decryption only require one pairing computation. Compared with other identitybased broadcast encryption schemes, our scheme has comparable properties, but with a better efficiency. Index Terms — Identitybased broadcast encryption, Random oracles, Bilinear Groups, Bilinear DiffieHellman Assumption