Results 1  10
of
37
CCASecure Proxy Reencryption without Pairings
 of Lecture Notes in Computer Science
, 2009
"... In a proxy reencryption scheme, a semitrusted proxy can transform a ciphertext under Alice’s public key into another ciphertext that Bob can decrypt. However, the proxy cannot access the plaintext. Due to its transformation property, proxy reencryption can be used in many applications, such as en ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
In a proxy reencryption scheme, a semitrusted proxy can transform a ciphertext under Alice’s public key into another ciphertext that Bob can decrypt. However, the proxy cannot access the plaintext. Due to its transformation property, proxy reencryption can be used in many applications, such as encrypted email forwarding. In this paper, by using signature of knowledge and FijisakiOkamoto conversion, we propose a proxy reencryption scheme without pairings, in which the proxy can only transform the ciphertext in one direction. The proposal is secure against chosen ciphertext attack (CCA) and collusion attack in the random oracle model based on Decisional DiffieHellman (DDH) assumption over Z ∗ N 2 and integer factorization assumption, respectively. To the best of our knowledge, it is the first unidirectional PRE scheme with CCA security and collusionresistance.
ChosenCiphertext Secure Proxy Reencryption without Pairings
 In proc. of International Conference on Cryptology and Network Security, CANS’08
, 2008
"... Proxy reencryption (PRE), introduced by Blaze, Bleumer and Strauss, allows a semitrusted proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. Proxy reencryption has found many practical applications, such as encrypted email forwardin ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
Proxy reencryption (PRE), introduced by Blaze, Bleumer and Strauss, allows a semitrusted proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. Proxy reencryption has found many practical applications, such as encrypted email forwarding, secure distributed file systems, and outsourced filtering of encrypted spam. In ACM CCS’07, Canetti and Hohenberger presented a bidirectional PRE scheme with chosenciphertext security, and left an important open problem to construct a chosenciphertext secure proxy reencryption scheme without pairings. In this paper, we propose a bidirectional PRE scheme with chosenciphertext security. The proposed scheme is fairly efficient due to two distinguished features: (i) it does not use the costly bilinear pairings; (ii) the computational cost and the ciphertext length decrease with reencryption.
Efficient Unidirectional Proxy ReEncryption
"... Abstract. Proxy reencryption (PRE) allows a semitrusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a reencryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Proxy reencryption (PRE) allows a semitrusted proxy to convert a ciphertext originally intended for Alice into one encrypting the same message for Bob. The proxy only needs a reencryption key given by Alice, and cannot learn anything about the message encrypted. This adds flexibility in various data security applications, such as confidential email, digital right management and distributed storage. In this paper, we study unidirectional PRE, where the reencryption key only enables delegation in one direction but not the opposite. In PKC 2009, Shao and Cao [23] proposed a unidirectional PRE in the random oracle model. However, we show how to launch a chosenciphertext attack (CCA) on this recently proposed scheme and discuss the flaws in their proof. We then propose an efficient unidirectional PRE scheme (without resorting to pairings). We gain the high efficiency and CCAsecurity under the computational DiffieHellman assumption, in the random oracle model. Key words: proxy reencryption, unidirectional, chosenciphertext attack 1
Tracing Malicious Proxies in Proxy ReEncryption
"... Abstract. In 1998, Blaze, Bleumer and Strauss put forth a cryptographic primitive, termed proxy reencryption, where a semitrusted proxy is given some piece of information that enables the reencryption of ciphertexts from one key to another. Unidirectional schemes only allow translating from the d ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Abstract. In 1998, Blaze, Bleumer and Strauss put forth a cryptographic primitive, termed proxy reencryption, where a semitrusted proxy is given some piece of information that enables the reencryption of ciphertexts from one key to another. Unidirectional schemes only allow translating from the delegator to the delegatee and not in the opposite direction. In all constructions described so far, although colluding proxies and delegatees cannot expose the delegator’s long term secret, they can derive and disclose subkeys that suffice to open all translatable ciphertexts sent to the delegator. They can also generate new reencryption keys for receivers that are not trusted by the delegator. In this paper, we propose traceable proxy reencryption systems, where proxies that leak their reencryption key can be identified by the delegator. The primitive does not preclude illegal transfers of delegation but rather strives to deter them. We give security definitions for this new primitive and a construction meeting the formalized requirements. This construction is fairly efficient, with ciphertexts that have logarithmic size in the number of delegations, but uses a nonblackbox tracing algorithm. We discuss how to provide the scheme with a black box tracing mechanism at the expense of longer ciphertexts.
Key Homomorphic PRFs and Their Applications∗
, 2014
"... A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
A pseudorandom function F: K ×X → Y is said to be key homomorphic if given F (k1, x) and F (k2, x) there is an efficient algorithm to compute F (k1 ⊕ k2, x), where ⊕ denotes a group operation on k1 and k2 such as xor. Key homomorphic PRFs are natural objects to study and have a number of interesting applications: they can simplify the process of rotating encryption keys for encrypted data stored in the cloud, they give one round distributed PRFs, and they can be the basis of a symmetrickey proxy reencryption scheme. Until now all known constructions for key homomorphic PRFs were only proven secure in the random oracle model. We construct the first provably secure key homomorphic PRFs in the standard model. Our main construction is based on the learning with errors (LWE) problem. In the proof of security we need a variant of LWE where query points are nonuniform and we show that this variant is as hard as the standard LWE. We also construct key homomorphic PRFs based on the decision linear assumption in groups with an `linear map. We leave as an open problem the question of constructing standard model key homomorphic PRFs from more general assumptions.
Efficient Conditional Proxy Reencryption with ChosenCiphertext Security
"... Abstract. Recently, a variant of proxy reencryption, named conditional proxy reencryption (CPRE), has been introduced. Compared with traditional proxy reencryption, CPRE enables the delegator to implement finegrained delegation of decryption rights, and thus is more useful in many applications ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, a variant of proxy reencryption, named conditional proxy reencryption (CPRE), has been introduced. Compared with traditional proxy reencryption, CPRE enables the delegator to implement finegrained delegation of decryption rights, and thus is more useful in many applications. In this paper, based on a careful observation on the existing definitions and security notions for CPRE, we reformalize more rigorous definition and security notions for CPRE. We further propose a more efficient CPRE scheme, and prove its chosenciphertext security under the decisional bilinear DiffieHellman (DBDH) assumption in the random oracle model. In addition, we point out that a recent CPRE scheme fails to achieve the chosenciphertext security.
Keyhomomorphic constrained pseudorandom functions
 In TCC(II
, 2015
"... Abstract. A pseudorandom function (PRF) is a keyed function F: K × X → Y where, for a random key k ∈ K, the function F (k, ·) is indistinguishable from a uniformly random function, given blackbox access. A keyhomomorphic PRF has the additional feature that for any keys k, k ′ and any input x, we h ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract. A pseudorandom function (PRF) is a keyed function F: K × X → Y where, for a random key k ∈ K, the function F (k, ·) is indistinguishable from a uniformly random function, given blackbox access. A keyhomomorphic PRF has the additional feature that for any keys k, k ′ and any input x, we have F (k+ k′, x) = F (k, x)⊕F (k′, x) for some group operations +, ⊕ on K and Y, respectively. A constrained PRF for a family of sets S ⊆ P(X) has the property that, given any key k and set S ∈ S, one can efficiently compute a “constrained” key kS that enables evaluation of F (k, x) on all inputs x ∈ S, while the values F (k, x) for x / ∈ S remain pseudorandom even given kS. In this paper we construct PRFs that are simultaneously constrained and key homomorphic, where the homomorphic property holds even for constrained keys. We first show that the multilinear mapbased bitfixing and circuitconstrained PRFs of Boneh and Waters (Asiacrypt 2013) can be modified to also be keyhomomorphic. We then show that the LWEbased keyhomomorphic PRFs of Banerjee and Peikert (Crypto 2014) are essentially already prefixconstrained
A CiphertextPolicy AttributeBased Proxy ReEncryption with ChosenCiphertext Security
"... Abstract. CiphertextPolicy AttributeBased Proxy ReEncryption (CPABPRE) extends the traditional Proxy ReEncryption (PRE) by allowing a semitrusted proxy to transform a ciphertext under an access policy to the one with the same plaintext under another access policy (i.e.attributebased reencryp ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. CiphertextPolicy AttributeBased Proxy ReEncryption (CPABPRE) extends the traditional Proxy ReEncryption (PRE) by allowing a semitrusted proxy to transform a ciphertext under an access policy to the one with the same plaintext under another access policy (i.e.attributebased reencryption). The proxy, however, learns nothing about the underlying plaintext. CPABPRE has many real world applications, such as finegrained access control in cloud storage systems and medical records sharing among different hospitals. Previous CPABPRE schemes leave how to be secure against chosenciphertext attacks (CCA) as an open problem. This paper, for the first time, proposes a new CPABPRE to tackle the problem. The new scheme supports attributebased reencryption with any monotonic access structures. Despite our scheme is constructed in the random oracle model, it can be proved CCA secure under the decisional qparallel bilinear DiffieHellman exponent assumption.
Augmented Learning with Errors: The Untapped Potential of the Error Term
"... Abstract. The Learning with Errors (LWE) problem has gained a lot of attention in recent years leading to a series of new cryptographic applications. Specifically, it states that it is hard to distinguish random linear equations disguised by some small error from truly random ones. Interestingly, cr ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Abstract. The Learning with Errors (LWE) problem has gained a lot of attention in recent years leading to a series of new cryptographic applications. Specifically, it states that it is hard to distinguish random linear equations disguised by some small error from truly random ones. Interestingly, cryptographic primitives based on LWE often do not exploit the full potential of the error term beside of its importance for security. To this end, we introduce a novel LWEclose assumption, namely Augmented Learning with Errors (ALWE), which allows to hide auxiliary data injected into the error term by a technique that we call message embedding. In particular, it enables existing cryptosystems to strongly increase the message throughput per ciphertext. We show that ALWE is for certain instantiations at least as hard as the LWE problem. This inherently leads to new cryptographic constructions providing high data load encryption and customized security properties as required, for instance, in economic environments such as stock markets resp. for financial transactions. The security of those constructions basically stems from the hardness to solve the ALWE problem. As an application we introduce (among others) the first latticebased replayable chosenciphertext secure encryption scheme from ALWE.
Realizing Proxy Reencryption in the Symmetric World
"... Abstract. Proxy reencryption is a useful concept and many proxy reencryption schemes have been proposed in the asymmetric encryption setting. In the asymmetric encryption setting, proxy reencryption can be beautifully implemented because many operations are available to directly transform a cipher ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Proxy reencryption is a useful concept and many proxy reencryption schemes have been proposed in the asymmetric encryption setting. In the asymmetric encryption setting, proxy reencryption can be beautifully implemented because many operations are available to directly transform a cipher to another cipher without the proxy needs to access the plaintexts. However, in many situations, for a better performance, the data is encrypted using symmetric ciphers. Most symmetric ciphers do not support proxy cryptography because of malleability (that is needed to implement the proxy reencryption) is not a desired property in a secure encryption scheme. In this paper, we suggest an idea to implement a pure proxy reencryption for the symmetric ciphers by first transforming the plaintext into a random sequence of blocks using an All or nothing transform (AONT). We show an example of the proxy reencryption scheme using a weak encryption (i.e. simple permutation) that has a simple conversion function to convert a permutation to another. The encryption scheme exploits three characteristics of an AONT transformation: (1) the output of an AONT is a pseudorandom, (2) the output of an AONT cannot be transformed back if any parts is missing, and (3) the output of an AONT cannot be transformed back without having all blocks with correct position. We show security argument of the proposed scheme and its performance evaluation.