Results 11  20
of
119
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
Functional Encryption with Bounded Collusions via MultiParty Computation ∗
, 2012
"... We construct a functional encryption scheme secure against an apriori bounded polynomial number of collusions for the class of all polynomialsize circuits. Our constructions require only semantically secure publickey encryption schemes and pseudorandom generators computable by smalldepth circuit ..."
Abstract

Cited by 39 (8 self)
 Add to MetaCart
We construct a functional encryption scheme secure against an apriori bounded polynomial number of collusions for the class of all polynomialsize circuits. Our constructions require only semantically secure publickey encryption schemes and pseudorandom generators computable by smalldepth circuits (known to be implied by most concrete intractability assumptions). For certain special cases such as predicate encryption schemes with public index, the construction requires only semantically secure encryption schemes, which is clearly the minimal necessary assumption. Our constructions rely heavily on techniques from secure multiparty computation and randomized encodings. All our constructions are secure under a strong, adaptive simulationbased definition of functional encryption.
Anonymity and security in delay tolerant networks
 In SecureComm
, 2007
"... A delay tolerant network (DTN) is a store and forward network where endtoend connectivity is not assumed and where opportunistic links between nodes are used to transfer data. An emerging application of DTNs are rural area DTNs, which provide Internet connectivity to rural areas in developing regi ..."
Abstract

Cited by 39 (5 self)
 Add to MetaCart
A delay tolerant network (DTN) is a store and forward network where endtoend connectivity is not assumed and where opportunistic links between nodes are used to transfer data. An emerging application of DTNs are rural area DTNs, which provide Internet connectivity to rural areas in developing regions using conventional transportation mediums, like buses. Potential applications of these rural area DTNs are egovernance, telemedicine and citizen journalism. Therefore, security and privacy are critical for DTNs. Traditional cryptographic techniques based on PKIcertified public keys assume continuous network access, which makes these techniques inapplicable to DTNs because of their disconnected nature. We present the first anonymous communication solution for DTNs and introduce a new anonymous authentication protocol as part of it. Furthermore, we present a security infrastructure for DTNs to provide efficient secure communication. Our anonymity and security solutions are based on identitybased cryptography. We show that our solutions have better performance than previously proposed security infrastructures for DTNs. 1
Practical Private Set Intersection Protocols with Linear Computational and Bandwidth Complexity
, 2010
"... Increasing dependence on anytimeanywhere availability of data and the commensurately increasing fear of losing privacy motivate the need for privacypreserving techniques. One interesting and common problem occurs when two parties need to privately compute an intersection of their respective sets o ..."
Abstract

Cited by 38 (11 self)
 Add to MetaCart
Increasing dependence on anytimeanywhere availability of data and the commensurately increasing fear of losing privacy motivate the need for privacypreserving techniques. One interesting and common problem occurs when two parties need to privately compute an intersection of their respective sets of data. In doing so, one or both parties must obtain the intersection (if one exists), while neither should learn anything about other set. Although prior work has yielded a number of effective and elegant Private Set Intersection (PSI) techniques, the quest for efficiency is still underway. This paper explores some PSI variations and constructs several secure protocols that are appreciably more efficient than the stateoftheart.
LinearComplexity Private Set Intersection Protocols Secure in Malicious Model
, 2010
"... Private Set Intersection (PSI) protocols allow one party (“client”) to compute an intersection of its input set with that of another party (“server”), such that the client learns nothing other than the set intersection and the server learns nothing beyond client input size. Prior work yielded a rang ..."
Abstract

Cited by 23 (2 self)
 Add to MetaCart
Private Set Intersection (PSI) protocols allow one party (“client”) to compute an intersection of its input set with that of another party (“server”), such that the client learns nothing other than the set intersection and the server learns nothing beyond client input size. Prior work yielded a range of PSI protocols secure under different cryptographic assumptions. Protocols operating in the semihonest model offer better (linear) complexity while those in the malicious model are often significantly more costly. In this paper, we construct PSI and Authorized PSI (APSI) protocols secure in the malicious model under standard cryptographic assumptions, with both linear communication and computational complexities. To the best of our knowledge, our APSI is the first solution to do so. Finally, we show that our linear PSI is appreciably more efficient than the stateoftheart.
Mediated CiphertextPolicy AttributeBased Encryption and its Application
"... Abstract. In CiphertextPolicy AttributeBased Encryption (CPABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the a ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In CiphertextPolicy AttributeBased Encryption (CPABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the access policy specified in the ciphertext. Several CPABE schemes have been proposed, however, some practical problems, such as attribute revocation, still needs to be addressed. In this paper, we propose a mediated CiphertextPolicy AttributeBased Encryption (mCPABE) which extends CPABE with instantaneous attribute revocation. Furthermore, we demonstrate how to apply the proposed mCPABE scheme to securely manage Personal Health Records (PHRs). 1
CiphertextPolicy AttributeBased Threshold Decryption with Flexible Delegation and Revocation of User Attributes
"... Abstract. In CiphertextPolicy AttributeBased Encryption (CPABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access structure or decryption policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his se ..."
Abstract

Cited by 21 (0 self)
 Add to MetaCart
Abstract. In CiphertextPolicy AttributeBased Encryption (CPABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access structure or decryption policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the decryption policy specified in the ciphertext. Several CPABE schemes have been proposed, however, to become practical the problem of revocation and delegation should be addressed. In this paper, we propose CiphertextPolicy AttributeBased Threshold Decryption (CPABTD) which extends CPABE with flexible attribute delegation and instantaneous attribute revocation. CPABTD has three advantages over CPABE. First, Alice (delegator), who has a secret key associated with a set of attributes, can delegate her authorization to Bob (delegatee). Second, Alice can decide whether to allow Bob to be able to delegate her authorization further. Third, the proposed scheme achieves instantaneous attribute revocation, that is, once the attribute is revoked the user cannot use it in the decryption phase. We demonstrate how to apply the proposed CPABTD scheme to securely manage Personal Health Records (PHRs). 1
Blind and Anonymous IdentityBased Encryption and Authorised Private Searches on Public Key Encrypted Data.
 PKC 2009. LNCS,
, 2009
"... Abstract. Searchable encryption schemes provide an important mechanism to cryptographically protect data while keeping it available to be searched and accessed. In a common approach for their construction, the encrypting entity chooses one or several keywords that describe the content of each encry ..."
Abstract

Cited by 19 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Searchable encryption schemes provide an important mechanism to cryptographically protect data while keeping it available to be searched and accessed. In a common approach for their construction, the encrypting entity chooses one or several keywords that describe the content of each encrypted record of data. To perform a search, a user obtains a trapdoor for a keyword of her interest and uses this trapdoor to find all the data described by this keyword. We present a searchable encryption scheme that allows users to privately search by keywords on encrypted data in a public key setting and decrypt the search results. To this end, we define and implement two primitives: public key encryption with oblivious keyword search (PEOKS) and committed blind anonymous identitybased encryption (IBE). PEOKS is an extension of public key encryption with keyword search (PEKS) in which users can obtain trapdoors from the secret key holder without revealing the keywords. Furthermore, we define committed blind trapdoor extraction, which facilitates the definition of authorisation policies to describe which trapdoor a particular user can request. We construct a PEOKS scheme by using our other primitive, which we believe to be the first blind and anonymous IBE scheme. We apply our PEOKS scheme to build a public key encrypted database that permits authorised private searches, i.e., neither the keywords nor the search results are revealed.
Hidden vector encryption with groups of prime order
, 2008
"... Abstract. Predicate encryption schemes are encryption schemes in which each ciphertext Ct is associated with a binary attribute vector x = (x1,..., xn) and keys K are associated with predicates. A key K can decrypt a ciphertext Ct if and only if the attribute vector of the ciphertext satisfies the ..."
Abstract

Cited by 19 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Predicate encryption schemes are encryption schemes in which each ciphertext Ct is associated with a binary attribute vector x = (x1,..., xn) and keys K are associated with predicates. A key K can decrypt a ciphertext Ct if and only if the attribute vector of the ciphertext satisfies the predicate of the key. Predicate encryption schemes can be used to implement finegrained access control on encrypted data and to perform search on encrypted data. Hidden vector encryption schemes [Boneh and Waters – TCC 2007] are encryption schemes in which each ciphertext Ct is associated with a binary vector x = (x1,..., xn) and each key K is associated with binary vector y = (y1, · · · , yn) with “don’t care ” entries (denoted with?). Key K can decrypt ciphertext Ct if and only if x and y agree for all i for which yi 6 =?. Hidden vector encryption schemes are an important type of predicate encryption schemes as they can be used to construct more sophisticated predicate encryption schemes (supporting for example range and subset queries). We give a construction for hiddenvector encryption from standard complexity assumptions on bilinear groups of prime order. Previous constructions were in bilinear groups of composite order and thus resulted in less efficient schemes. Our construction is both payloadhiding and attributehiding meaning that also the privacy of the attribute vector, besides privacy of the cleartext, is guaranteed. 1
Expressive keypolicy attributebased encryption with constantsize ciphertexts
 in Proceedings of 14th International Conference on Practice and Theory in Public Key Cryptography (PKC 2011
, 2011
"... Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that s ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exceptions only support restricted forms of threshold access policies. This paper proposes the first keypolicy attributebased encryption (KPABE) schemes allowing for nonmonotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size. Towards achieving this goal, we first show that a certain class of identitybased broadcast encryption schemes generically yields monotonic KPABE systems in the selective set model. We then describe a new efficient identitybased revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the first truly expressive KPABE realization with constantsize ciphertexts. The downside of these new constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KPABE schemes.