Results 1  10
of
119
Conjunctive, subset, and range queries on encrypted data
, 2007
"... We construct publickey systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x ∈ S). Furthermore, these systems support arbitrary conjunctive queries (P1 ∧ · · · ∧ Pℓ) without leaking information on individual conjuncts. We p ..."
Abstract

Cited by 183 (20 self)
 Add to MetaCart
We construct publickey systems that support comparison queries (x ≥ a) on encrypted data as well as more general queries such as subset queries (x ∈ S). Furthermore, these systems support arbitrary conjunctive queries (P1 ∧ · · · ∧ Pℓ) without leaking information on individual conjuncts. We present a general framework for constructing and analyzing publickey systems supporting queries on encrypted data.
Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
"... Abstract. Predicate encryption is a new paradigm generalizing, among other things, identitybased encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf corresponding to a predicate f can be used to decryp ..."
Abstract

Cited by 173 (23 self)
 Add to MetaCart
Abstract. Predicate encryption is a new paradigm generalizing, among other things, identitybased encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf corresponding to a predicate f can be used to decrypt a ciphertext associated with attribute I if and only if f(I) = 1. Constructions of such schemes are currently known for relatively few classes of predicates. We construct such a scheme for predicates corresponding to the evaluation of inner products over ZN (for some large integer N). This, in turn, enables constructions in which predicates correspond to the evaluation of disjunctions, polynomials, CNF/DNF formulae, or threshold predicates (among others). Besides serving as a significant step forward in the theory of predicate encryption, our results lead to a number of applications that are interesting in their own right. 1
Fully Secure Functional Encryption: AttributeBased Encryption and (Hierarchical) Inner Product Encryption
"... In this paper, we present two fully secure functional encryption schemes. Our first result is a fully secure attributebased encryption (ABE) scheme. Previous constructions of ABE were only proven to be selectively secure. We achieve full security by adapting the dual system encryption methodology r ..."
Abstract

Cited by 145 (21 self)
 Add to MetaCart
In this paper, we present two fully secure functional encryption schemes. Our first result is a fully secure attributebased encryption (ABE) scheme. Previous constructions of ABE were only proven to be selectively secure. We achieve full security by adapting the dual system encryption methodology recently introduced by Waters and previously leveraged to obtain fully secure IBE and HIBE systems. The primary challenge in applying dual system encryption to ABE is the richer structure of keys and ciphertexts. In an IBE or HIBE system, keys and ciphertexts are both associated with the same type of simple object: identities. In an ABE system, keys and ciphertexts are associated with more complex objects: attributes and access formulas. We use a novel informationtheoretic argument to adapt the dual system encryption methodology to the more complicated structure of ABE systems. We construct our system in composite order bilinear groups, where the order is a product of three primes. We prove the security of our system from three static assumptions. Our ABE scheme supports arbitrary monotone access formulas. Our second result is a fully secure (attributehiding) predicate encryption (PE) scheme
Practical identitybased encryption without random oracles
 of LNCS
"... Abstract. We present an Identity Based Encryption (IBE) system that is fully secure in the standard model and has several advantages over previous such systems – namely, computational efficiency, shorter public parameters, and a “tight ” security reduction, albeit to a stronger assumption that depen ..."
Abstract

Cited by 140 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an Identity Based Encryption (IBE) system that is fully secure in the standard model and has several advantages over previous such systems – namely, computational efficiency, shorter public parameters, and a “tight ” security reduction, albeit to a stronger assumption that depends on the number of private key generation queries made by the adversary. Our assumption is a variant of Boneh et al.’s decisional Bilinear DiffieHellman Exponent assumption, which has been used to construct efficient hierarchical IBE and broadcast encryption systems. The construction is remarkably simple. It also provides recipient anonymity automatically, providing a second (and more efficient) solution to the problem of achieving anonymous IBE without random oracles. Finally, our proof of CCA2 security, which has more in common with the security proof for the CramerShoup encryption scheme than with security proofs for other IBE systems, may be of independent interest.
CiphertextPolicy AttributeBased Encryption: An Expressive, Efficient, and Provably Secure Realization
, 2008
"... We present new techniques for realizing CiphertextPolicy Attribute Encryption (CPABE) under concrete and noninteractive cryptographic assumptions. Our solutions allow any encryptor to specify access control in terms of an LSSS matrix, M, over the attributes in the system. We present three differen ..."
Abstract

Cited by 134 (9 self)
 Add to MetaCart
(Show Context)
We present new techniques for realizing CiphertextPolicy Attribute Encryption (CPABE) under concrete and noninteractive cryptographic assumptions. Our solutions allow any encryptor to specify access control in terms of an LSSS matrix, M, over the attributes in the system. We present three different constructions that allow different tradeoffs between the systems efficiency and the complexity of the assumptions used. All three constructions use a common methodology of “directly” solving the CPABE problem that enable us to get much better efficiency than prior approaches.
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 123 (7 self)
 Add to MetaCart
(Show Context)
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
Multidimension range query over encrypted data
 In IEEE Symposium on Security and Privacy
, 2007
"... encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before su ..."
Abstract

Cited by 112 (5 self)
 Add to MetaCart
(Show Context)
encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before submitting them to an untrusted repository. When network intrusions are suspected, an authority can release a key to an auditor, allowing the auditor to decrypt flows whose attributes (e.g., source and destination addresses, port numbers, etc.) fall within specific ranges. However, the privacy of all irrelevant flows are still preserved. We formally define the security for MRQED and prove the security of our construction under the decision bilinear DiffieHellman and decision linear assumptions in certain bilinear groups. We study the practical performance of our construction in the context of network audit logs. Apart from network audit logs, our scheme also has interesting applications for financial audit logs, medical privacy, untrusted remote storage, etc. In particular, we show that MRQED implies a solution to its dual problem, which enables investors to trade stocks through a broker in a privacypreserving manner. 1
Functional Encryption: Definitions and Challenges
"... We initiate the formal study of functional encryption by giving precise definitions of the concept and its security. Roughly speaking, functional encryption supports restricted secret keys that enable a key holder to learn a specific function of encrypted data, but learn nothing else about the data. ..."
Abstract

Cited by 109 (17 self)
 Add to MetaCart
We initiate the formal study of functional encryption by giving precise definitions of the concept and its security. Roughly speaking, functional encryption supports restricted secret keys that enable a key holder to learn a specific function of encrypted data, but learn nothing else about the data. For example, given an encrypted program the secret key may enable the key holder to learn the output of the program on a specific input without learning anything else about the program. We show that defining security for functional encryption is nontrivial. First, we show that a natural gamebased definition is inadequate for some functionalities. We then present a natural simulationbased definition and show that it (provably) cannot be satisfied in the standard model, but can be satisfied in the random oracle model. We show how to map many existing concepts to our formalization of functional encryption and conclude with several interesting open problems in this young area.
Fully secure functional encryption with general relations from the decisional linear assumption
 In CRYPTO
, 2010
"... This paper presents a fully secure functional encryption scheme for a wide class of relations, that are specified by nonmonotone access structures combined with innerproduct relations. The security is proven under a standard assumption, the decisional linear (DLIN) assumption, in the standard mode ..."
Abstract

Cited by 79 (0 self)
 Add to MetaCart
This paper presents a fully secure functional encryption scheme for a wide class of relations, that are specified by nonmonotone access structures combined with innerproduct relations. The security is proven under a standard assumption, the decisional linear (DLIN) assumption, in the standard model. The proposed functional encryption scheme covers, as special cases, (1) keypolicy, ciphertextpolicy and unifiedpolicy (of key and ciphertext policies) attributebased encryption with nonmonotone access structures, and (2) (hierarchical) predicate encryption with innerproduct relations and functional encryption with nonzero
Lattice basis delegation in fixed dimension and shorterciphertext hierarchical IBE
 In Advances in Cryptology — CRYPTO 2010, Springer LNCS 6223
, 2010
"... Abstract. We present a technique for delegating a short lattice basis that has the advantage of keeping the lattice dimension unchanged upon delegation. Building on this result, we construct two new hierarchical identitybased encryption (HIBE) schemes, with and without random oracles. The resulting ..."
Abstract

Cited by 51 (10 self)
 Add to MetaCart
Abstract. We present a technique for delegating a short lattice basis that has the advantage of keeping the lattice dimension unchanged upon delegation. Building on this result, we construct two new hierarchical identitybased encryption (HIBE) schemes, with and without random oracles. The resulting systems are very different from earlier latticebased HIBEs and in some cases result in shorter ciphertexts and private keys. We prove security from classic lattice hardness assumptions. 1