Results 1  10
of
40
New proof methods for attributebased encryption: Achieving full security through selective techniques
 in Proc. of CRYPTO
, 2012
"... We develop a new methodology for utilizing the prior techniques to prove selective security for functional encryption systems as a direct ingredient in devising proofs of full security. This deepens the relationship between the selective and full security models and provides a path for transferring ..."
Abstract

Cited by 48 (10 self)
 Add to MetaCart
We develop a new methodology for utilizing the prior techniques to prove selective security for functional encryption systems as a direct ingredient in devising proofs of full security. This deepens the relationship between the selective and full security models and provides a path for transferring the best qualities of selectively secure systems to fully secure systems. In particular, we present a CiphertextPolicy AttributeBased Encryption scheme that is proven fully secure while matching the efficiency of the state of the art selectively secure systems. 1
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
(Show Context)
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
Tools for simulating features of composite order bilinear groups in the prime order setting
 In EUROCRYPT
, 2012
"... In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate co ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
(Show Context)
In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate composite order schemes for which the prior techniques of Freeman were insufficient. Our techniques are typically applicable for composite order schemes relying on the canceling property and proven secure from variants of the subgroup decision assumption, and will result in prime order schemes that are proven secure from the decisional linear assumption. As an instructive example, we obtain a translation of the LewkoWaters composite order IBE scheme. This provides a close analog of the BonehBoyen IBE scheme that is proven fully secure from the decisional linear assumption. We also provide a translation of the LewkoWaters unbounded HIBE scheme. 1
AttributeBased Encryption with Fast Decryption
, 2013
"... Attributebased encryption (ABE) is a vision of public key encryption that allows users to encrypt and decrypt messages based on user attributes. This functionality comes at a cost. In a typical implementation, the size of the ciphertext is proportional to the number of attributes associated with it ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
Attributebased encryption (ABE) is a vision of public key encryption that allows users to encrypt and decrypt messages based on user attributes. This functionality comes at a cost. In a typical implementation, the size of the ciphertext is proportional to the number of attributes associated with it and the decryption time is proportional to the number of attributes used during decryption. Specifically, many practical ABE implementations require one pairing operation per attribute used during decryption. This work focuses on designing ABE schemes with fast decryption algorithms. We restrict our attention to expressive systems without systemwide bounds or limitations, such as placing a limit on the number of attributes used in a ciphertext or a private key. In this setting, we present the first keypolicy ABE system where ciphertexts can be decrypted with a constant number of pairings. We show that GPSW ciphertexts can be decrypted with only 2 pairings by increasing the private key size by a factor of Γ, where Γ is the set of distinct attributes that appear in the private key. We then present a generalized construction that allows each system user to independently tune various efficiency tradeoffs to their liking on a spectrum where the extremes are GPSW on one end and our very fast scheme on the other. This tuning requires no changes to the public parameters or the encryption algorithm. Strategies for choosing an individualized user optimization plan are discussed. Finally, we discuss how these ideas can be translated into the ciphertextpolicy ABE setting at a higher cost. 1
SemanticallySecure Functional Encryption: Possibility Results, Impossibility Results and the Quest for a General Definition
, 2012
"... This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
This paper explains that SS1secure functional encryption (FE) as defined by Boneh, Sahai and Waters implicitly incorporates security under keyrevealing selective opening attacks (SOAK). This connection helps intuitively explain their impossibility results and also allows us to prove stronger ones. To fill this gap and move us closer to the (laudable) goal of a general and achievable notion of FE security, we seek and provide two “sans SOAK ” definitions of FE security that we call SS2 and SS3. We prove various possibility results about these definitions. We view our work as a first step towards the challenging goal of a general, meaningful and achievable notion of FE security. 1
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
Fuzzy identity based encryption from lattices. IACR Cryptology ePrint Archive
, 2011
"... Cryptosystems based on the hardness of lattice problems have recently acquired much importance due to their averagecase to worstcase equivalence, their conjectured resistance to quantum cryptanalysis, their ease of implementation and increasing practicality, and, lately, their promising potential ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Cryptosystems based on the hardness of lattice problems have recently acquired much importance due to their averagecase to worstcase equivalence, their conjectured resistance to quantum cryptanalysis, their ease of implementation and increasing practicality, and, lately, their promising potential as a platform for constructing advanced functionalities. In this work, we construct “Fuzzy ” Identity Based Encryption from the hardness of the standard Learning With Errors (LWE) problem. We give CPA and CCA secure variants of our construction, for small and large universes of attributes. All are secure against selectiveidentity attacks in the standard model. Our construction is made possible by observing certain special properties that secret sharing schemes need to satisfy in order to be useful for Fuzzy IBE. We discuss why further extensions are not as easy as they may seem. As such, ours is among the first examples of advancedfunctionality cryptosystem from lattices that goes “beyond IBE”.
Online/Offline AttributeBased Encryption
"... Attributebased encryption (ABE) is a type of public key encryption that allows users to encrypt and decrypt messages based on user attributes. For instance, one can encrypt a message to any user satisfying the boolean formula (“crypto conference attendee ” AND “PhD student”) OR “IACR member”. One d ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Attributebased encryption (ABE) is a type of public key encryption that allows users to encrypt and decrypt messages based on user attributes. For instance, one can encrypt a message to any user satisfying the boolean formula (“crypto conference attendee ” AND “PhD student”) OR “IACR member”. One drawback is that encryption and key generation computational costs scale with the complexity of the access policy or number of attributes. In practice, this makes encryption and user key generation a possible bottleneck for some applications. To address this problem, we develop new techniques for ABE that split the computation for these algorithms into two phases: a preparation phase that does the vast majority of the work to encrypt a message or create a secret key before it knows the message or the attribute list/access control policy that will be used (or even the size of the list or policy). A second phase can then rapidly assemble an ABE ciphertext or key when the specifics become known. This concept is sometimes called “online/offline ” encryption when only the message is unknown during the preparation phase; we note that the addition of unknown attribute lists and access policies makes ABE significantly more challenging. One motivating application for this technology is mobile devices: the preparation work can be performed while the phone is plugged into a power source, then it can later rapidly perform ABE operations on the move without significantly draining the battery. 1
Fully secure and succinct attribute based encryption for circuits from multilinear maps. IACR Cryptology ePrint Archive
 In Proc. of CRYPTO, volume 3152 of LNCS
, 2004
"... We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in composite ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We propose new fully secure attribute based encryption (ABE) systems for polynomialsize circuits in both keypolicy and ciphertextpolicy flavors. All the previous ABE systems for circuits were proved only selectively secure. Our schemes are based on asymmetric graded encoding systems in compositeorder settings. The assumptions consist of the Subgroup Decision assumptions and two assumptions which are similar to Multilinear Decisional DiffieHellman assumption (but more complex) and are proved to hold in the generic graded encoding model. Both of our systems enjoy succinctness: key and ciphertext sizes are proportional to their corresponding circuit and input string sizes. Our ciphertextpolicy ABE for circuits is the first to achieve succinctness, and the first that can deal with unboundedsize circuits (even among selectively secure systems). We develop new techniques for proving coselective security of keypolicy ABE for circuits, which is the main ingredient for the dualsystem encryption framework that uses computational arguments for enforcing full security.
Comparing the Pairing Efficiency over CompositeOrder and PrimeOrder Elliptic Curves
"... Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twopri ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twoprime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multiprime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a primeorder BarretoNaehrig curve, both at the 128bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the primeorder setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of compositeorder bilinear groups and advocate the use of primeorder group whenever possible in protocol design.