Results 1  10
of
197
Attributebased encryption for finegrained access control of encrypted data
 In Proc. of ACMCCS’06
, 2006
"... As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop ..."
Abstract

Cited by 522 (23 self)
 Add to MetaCart
(Show Context)
As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop a new cryptosystem for finegrained sharing of encrypted data that we call KeyPolicy AttributeBased Encryption (KPABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of auditlog information and broadcast encryption. Our construction supports delegation of private keys which subsumes Hierarchical IdentityBased Encryption (HIBE). E.3 [Data En
Hierarchical identity based encryption with constant size ciphertext
, 2005
"... ..."
(Show Context)
Attributebased encryption with nonmonotonic access structures
 In ACM CCCS
, 2007
"... We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisi ..."
Abstract

Cited by 130 (5 self)
 Add to MetaCart
(Show Context)
We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisional Bilinear DiffieHellman (BDH) assumption. Furthermore, the performance of our new scheme compares favorably with existing, lessexpressive schemes. Categories and Subject Descriptors: E.3 [Data Encryption]: Public key cryptosystems. General Terms: Security.
Provably secure ciphertext policy ABE. Cryptology ePrint Archive Report 2007/183
, 2007
"... In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This ..."
Abstract

Cited by 99 (1 self)
 Add to MetaCart
In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This provides finegrained access control on shared data in many practical settings, e.g., secure database and IP multicast. In this paper, we study CPABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear DiffieHellman (DBDH) assumption. We then apply the CanettiHaleviKatz technique to obtain a chosen ciphertext (CCA) secure extension using onetime signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme—reducing both ciphertext size and encryption/decryption time while maintaining CPA security. We conclude with a discussion of practical applications of
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 90 (3 self)
 Add to MetaCart
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.
NOYB: Privacy in Online Social Networks
"... Increasingly, Internet users trade privacy for service. Facebook, Google, and others mine personal information to target advertising. This paper presents a preliminary and partial answer to the general question “Can users retain their privacy while still benefiting from these web services?”. We prop ..."
Abstract

Cited by 82 (1 self)
 Add to MetaCart
(Show Context)
Increasingly, Internet users trade privacy for service. Facebook, Google, and others mine personal information to target advertising. This paper presents a preliminary and partial answer to the general question “Can users retain their privacy while still benefiting from these web services?”. We propose NOYB, a novel approach that provides privacy while preserving some of the functionality provided by online services. We apply our approach to the Facebook online social networking website. Through a proofofconcept implementation we demonstrate that NOYB is practical and incrementally deployable, requires no changes to or cooperation from an existing online service, and indeed can be nontrivial for the online service to detect. 1
SPORC: Group Collaboration using Untrusted Cloud Resources
 9TH USENIX SYMPOSIUM ON OPERATING SYSTEMS SYSTEMS DESIGN AND IMPLEMENTATION (OSDI ’10)
, 2010
"... Cloudbased services are an attractive deployment model for userfacing applications like word processing and calendaring. Unlike desktop applications, cloud services allow multiple users to edit shared state concurrently and in realtime, while being scalable, highly available, and globally accessi ..."
Abstract

Cited by 80 (6 self)
 Add to MetaCart
(Show Context)
Cloudbased services are an attractive deployment model for userfacing applications like word processing and calendaring. Unlike desktop applications, cloud services allow multiple users to edit shared state concurrently and in realtime, while being scalable, highly available, and globally accessible. Unfortunately, these benefits come at the cost of fully trusting cloud providers with potentially sensitive and important data. To overcome this strict tradeoff, we present SPORC, a generic framework for building a wide variety of collaborative applications with untrusted servers. In SPORC, a server observes only encrypted data and cannot deviate from correct execution without being detected. SPORC allows concurrent, lowlatency editing of shared state, permits disconnected operation, and supports dynamic access control even in the presence of concurrency. We demonstrate SPORC’s flexibility through two prototype applications: a causallyconsistent keyvalue store and a browserbased collaborative text editor. Conceptually, SPORC illustrates the complementary benefits of operational transformation (OT) and fork* consistency. The former allows SPORC clients to execute concurrent operations without locking and to resolve any resulting conflicts automatically. The latter prevents a misbehaving server from equivocating about the order of operations unless it is willing to fork clients into disjoint sets. Notably, unlike previous systems, SPORC can automatically recover from such malicious forks by leveraging OT’s conflict resolution mechanism.
Quadratic Span Programs and Succinct NIZKs without PCPs
"... We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the construction of succinct arguments of NPstatements that are quick to construct and verif ..."
Abstract

Cited by 72 (8 self)
 Add to MetaCart
(Show Context)
We introduce a new characterization of the NP complexity class, called Quadratic Span Programs (QSPs), which is a natural extension of span programs defined by Karchmer and Wigderson. Our main motivation is the construction of succinct arguments of NPstatements that are quick to construct and verify. QSPs seem wellsuited for this task, perhaps even better than Probabilistically Checkable Proofs (PCPs). In 2010, Groth constructed a NIZK argument in the common reference string (CRS) model for CircuitSAT consisting of only 42 elements in a bilinear group. Interestingly, his argument does not (explicitly) use PCPs. But his scheme has some disadvantages – namely, the CRS size and prover computation are both quadratic in the circuit size. In 2011, Lipmaa reduced the CRS size to quasilinear, but with prover computation still quadratic. Using QSPs we construct a NIZK argument in the CRS model for CircuitSAT consisting of just 7 group elements. The CRS size is linear in the circuit size, and prover computation is quasilinear, making our scheme seemingly quite practical. (The prover only needs to do a linear number of group operations; the quasilinear computation is a multipoint evaluation and interpolation.) Our results are complementary to those of Valiant (TCC 2008) and Bitansky et al. (2012), who use “bootstrapping ” (recursive composition) of arguments to reduce CRS size and prover and verifier computation. QSPs also provide a crisp mathematical abstraction of some of the techniques underlying Groth’s and Lipmaa’s constructions.
Security analysis of the strong DiffieHellman problem
, 2006
"... Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are pr ..."
Abstract

Cited by 71 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Let g be an element of prime order p in an abelian group and α ∈ Zp. We show that if g, g α, and g αd are given for a positive divisor d of p−1, we can compute the secret α in O(log p· ( √ p/d+ √ d)) group operations using O(max { √ p/d, √ d}) memory. If g αi (i = 0, 1, 2,..., d) are provided for a positive divisor d of p + 1, α can be computed in O(log p · ( √ p/d + d)) group operations using O(max { √ p/d, √ d}) memory. This implies that the strong DiffieHellman problem and its related problems have computational complexity reduced by O ( √ d) from that of the discrete logarithm problem for such primes. Further we apply this algorithm to the schemes based on the DiffieHellman problem on an abelian group of prime order p. As a result, we reduce the complexity of recovering the secret key from O ( √ p) to O ( √ p/d) for Boldyreva’s blind signature and the original ElGamal scheme when p − 1 (resp. p + 1) has a divisor d ≤ p 1/2 (resp. d ≤ p 1/3) and d signature or decryption queries are allowed.
Constrained Pseudorandom Functions and Their Applications
"... We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master ke ..."
Abstract

Cited by 69 (11 self)
 Add to MetaCart
(Show Context)
We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master key k. A constrained key ks enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that constrained PRFs can be used to construct powerful primitives such as identitybased key exchange and an optimal private broadcast encryption system. We then construct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.