Results 1 
4 of
4
Cryptanalysis of the multilinear map over the integers
 In Advances in Cryptology  EUROCRYPT 2015  34th Annual International Conference on the Theory and Applications of Cryptographic Techniques
"... Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastati ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and Subgroup Membership problems from pairingbased cryptography. For CLT, this leads to a total break: all quantities meant to be kept secret can be efficiently and publicly recovered.
cryptanalysis of multilinear map on ideal lattices, iacr eprint
"... Abstract. We improve the zeroizing attack on the multilinear map of Garg, Gentry and Halevi (GGH). Our algorithm can solve the Graded Decisional DiffieHellman (GDDH) problem on the GGH scheme when the dimension n of the ideal lattice Z[X]/(Xn+1) is O(κλ2) as suggested for the κlinear GGH scheme. T ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Abstract. We improve the zeroizing attack on the multilinear map of Garg, Gentry and Halevi (GGH). Our algorithm can solve the Graded Decisional DiffieHellman (GDDH) problem on the GGH scheme when the dimension n of the ideal lattice Z[X]/(Xn+1) is O(κλ2) as suggested for the κlinear GGH scheme. The zeroizing attack is to recover a basis of an ideal generated by a secret element g ∈ Z[X]/(Xn + 1) from the zero testing parameter and several encodings in public. It can solve the DLIN and subgroup decision problems, but not the GDDH problem on the GGH scheme for the suggested dimension n due to the hardness of the smallest basis problem and the shortest vector problem on the ideal lattice. In this paper, we propose an algorithm to find a short vector in the ideal lattice 〈g 〉 by applying a lattice reduction to a sublattice obtained from the Hermit Normal Form of 〈g〉. This attack utilizes that the determinant of the lattice 〈g 〉 is not large. We further show that if g has a large residual degree, one can find a short element of g in polynomial time of n. In order to resist the proposed attacks, it is required that n = Ω̃(κ2λ3) and the positive generator of 〈g 〉 ∩ Z is large enough.
Dual System Encryption Framework in PrimeOrder Groups
 IACR Cryptology ePrint Archive
, 2015
"... We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compos ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
We propose a new generic framework for achieving fully secure attribute based encryption (ABE) in primeorder bilinear groups. It is generic in the sense that it can be applied to ABE for arbitrary predicate. All previously available frameworks that are generic in this sense are given only in compositeorder bilinear groups, of which operations are known to be much less efficient than in primeorder ones for the same security level. These consist of the frameworks by Wee (TCC’14) and Attrapadung (Eurocrypt’14). Both provide abstractions of dualsystem encryption techniques introduced by Waters (Crypto’09). Our framework can be considered as a primeorder version of Attrapadung’s framework and works in a similar manner: it relies on a main component called pair encodings, and it generically compiles any secure pair encoding scheme for a predicate in consideration to a fully secure ABE scheme for that predicate. One feature of our new compiler is that although the resulting ABE schemes will be newly defined in primeorder groups, we require essentially the same security notions of pair encodings as before. Beside the security of pair encodings, our framework assumes only the Matrix DiffieHellman assumption (Escala et al., Crypto’13), which is a
Generic Conversions from CPA to CCA secure Functional Encryption
"... Abstract. In 2004, CanettiHaleviKatz and later BonehKatz showed generic CCAsecure PKE constructions from a CPAsecure IBE. Goyal et al. in 2006 further extended the aforementioned idea implicitly to provide a specific CCAsecure KPABE with policies represented by monotone access trees. Later, ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. In 2004, CanettiHaleviKatz and later BonehKatz showed generic CCAsecure PKE constructions from a CPAsecure IBE. Goyal et al. in 2006 further extended the aforementioned idea implicitly to provide a specific CCAsecure KPABE with policies represented by monotone access trees. Later, Yamada et al. in 2011 generalized the CPA to CCA conversion to all those ABE, where the policies are represented by either monotone access trees (MAT) or monotone span programs (MSP), but not the others like sets of minimal sets. Moreover, the underlying CPAsecure constructions must satisfy one of the two features called keydelegation and verifiability. Along with ABE, many other different encryptions schemes, such as innerproduct, hidden vector, spatial encryption schemes etc. can be studied under an unified framework, called functional encryption (FE), as introduced by BonehSahaiWaters in 2011. The generic conversions, due to Yamada et al., can not be applied to all these functional encryption schemes. On the other hand, to the best of our knowledge, there is no known CCAsecure construction beyond ABE over MSP and MAT. This paper provides different ways of obtaining CCAsecure functional encryptions of almost all categories. In particular, we provide a generic conversion from a CPAsecure functional encryption into a CCAsecure functional encryption provided the underlying CPAsecure encryption scheme has either restricted delegation or verifiability feature. We observe that almost all functional encryption schemes have this feature. The KPFE schemes of Waters (proposed in 2012) and Attrapadung (proposed in 2014) for regular languages do not possess the usual delegation property. However, they can be converted into corresponding CCAsecure schemes as they satisfy the restricted delegation.