Results 1  10
of
114
A logic of authentication
 ACM TRANSACTIONS ON COMPUTER SYSTEMS
, 1990
"... Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required ..."
Abstract

Cited by 1332 (22 self)
 Add to MetaCart
Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with sharedkey cryptography and with publickey cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice  for example, in order to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.
Fuzzy identitybased encryption
 In EUROCRYPT
, 2005
"... We introduce a new type of IdentityBased Encryption (IBE) scheme that we call Fuzzy IdentityBased Encryption. In Fuzzy IBE we view an identity as set of descriptive attributes. A Fuzzy IBE scheme allows for a private key for an identity, ω, to decrypt a ciphertext encrypted with an identity, ω ′ , ..."
Abstract

Cited by 377 (20 self)
 Add to MetaCart
(Show Context)
We introduce a new type of IdentityBased Encryption (IBE) scheme that we call Fuzzy IdentityBased Encryption. In Fuzzy IBE we view an identity as set of descriptive attributes. A Fuzzy IBE scheme allows for a private key for an identity, ω, to decrypt a ciphertext encrypted with an identity, ω ′ , if and only if the identities ω and ω ′ are close to each other as measured by the “set overlap ” distance metric. A Fuzzy IBE scheme can be applied to enable encryption using biometric inputs as identities; the errortolerance property of a Fuzzy IBE scheme is precisely what allows for the use of biometric identities, which inherently will have some noise each time they are sampled. Additionally, we show that FuzzyIBE can be used for a type of application that we term “attributebased encryption”. In this paper we present two constructions of Fuzzy IBE schemes. Our constructions can be viewed as an IdentityBased Encryption of a message under several attributes that compose a (fuzzy) identity. Our IBE schemes are both errortolerant and secure against collusion attacks. Additionally, our basic construction does not use random oracles. We prove the security of our schemes under the SelectiveID security model. 1
An efficient system for nontransferable anonymous credentials with optional anonymity revocation
, 2001
"... A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance ..."
Abstract

Cited by 308 (13 self)
 Add to MetaCart
A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these credentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of providing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional DiffieHellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing organization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryptographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by introducing allornothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
Seeingisbelieving: Using camera phones for humanverifiable authentication
 In IEEE Symposium on Security and Privacy
, 2005
"... Current mechanisms for authenticating communication between devices that share no prior context are inconvenient for ordinary users, without the assistance of a trusted authority. We present and analyze SeeingIsBelieving, a system that utilizes 2D barcodes and cameraphones to implement a visual ch ..."
Abstract

Cited by 204 (19 self)
 Add to MetaCart
(Show Context)
Current mechanisms for authenticating communication between devices that share no prior context are inconvenient for ordinary users, without the assistance of a trusted authority. We present and analyze SeeingIsBelieving, a system that utilizes 2D barcodes and cameraphones to implement a visual channel for authentication and demonstrative identification of devices. We apply this visual channel to several problems in computer security, including authenticated key exchange between devices that share no prior context, establishment of a trusted path for configuration of a TCGcompliant computing platform, and secure device configuration in the context of a smart home. 1.
Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions
, 2005
"... We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for publickey encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of [7] is compu ..."
Abstract

Cited by 143 (3 self)
 Add to MetaCart
(Show Context)
We identify and fill some gaps with regard to consistency (the extent to which false positives are produced) for publickey encryption with keyword search (PEKS). We define computational and statistical relaxations of the existing notion of perfect consistency, show that the scheme of [7] is computationally consistent, and provide a new scheme that is statistically consistent. We also provide a transform of an anonymous IBE scheme to a secure PEKS scheme that, unlike the previous one, guarantees consistency. Finally we suggest three extensions of the basic notions considered here, namely anonymous HIBE, publickey encryption with temporary keyword search, and identitybased encryption
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 123 (7 self)
 Add to MetaCart
(Show Context)
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
Anonymous Hierarchical IdentityBased Encryption (Without Random Oracles). In: Dwork
 CRYPTO 2006. LNCS,
, 2006
"... Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with sm ..."
Abstract

Cited by 119 (10 self)
 Add to MetaCart
(Show Context)
Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with small ciphertexts of size linear in the depth of the hierarchy. Applications include search on encrypted data, fully private communication, etc. Our results resolve two open problems pertaining to anonymous identitybased encryption, our scheme being the first to offer provable anonymity in the standard model, in addition to being the first to realize fully anonymous HIBE at all levels in the hierarchy. Introduction The cryptographic primitive of identitybased encryption allows a sender to encrypt a message for a receiver using only the receiver's identity as a public key. Recently, there has been interest in "anonymous" identitybased encryption systems, where the ciphertext does not leak the identity of the recipient. In addition to their obvious privacy benefits, anonymous IBE systems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [10] and later formalized by Abdalla et al. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin Our Results We present an Anonymous IBE and HIBE scheme without random oracles, therby solving both open problems from CRYPTO'05. Our scheme is very efficient for pure IBE, and reasonably efficient for HIBE with shallow hierarchies of practical interest. We prove it secure based solely on Boneh's et al. [9] Decision Linear assumption, which is one of the mildest useful complexity assumptions in bilinear groups. At first sight, our construction bears a superficial resemblance to Boneh and Boyen's "BB 1 " HIBE scheme [5, §4] but with at least two big differences. First, we perform "linear splittings" on various portions of the ciphertext, to thwart the trialanderror identity guessing to which other schemes fell prey. This idea gives us provable anonymity, even under symmetric pairings. Second, we use multiple parallel HIBE systems and constantly rerandomize the keys between them. This is what lets us use the linear splitting trick at all levels of the hierarchy, but also poses a technical challenge in the security reduction which mist now simulate multiple interacting HIBE systems at once. Solving this problem was the crucial step that gave us a hierarchy without destroying anonymity. Building a "flat" anonymous IBE system turns out to be reasonably straightforward using our linear splitting technique to hide the recipient identity behind some randomization. Complications arise when one tries to support hierarchical key generation. In a nutshell, to prevent collusion attacks in HIBE, "parents" must independently rerandomize the private keys they give to their "children". In all known HIBE schemes, rerandomization is enabled by a number of supplemental components in the public system parameters. Why this breaks anonymity is because the same mechanism that allows private keys to be publicly rerandomized, also allows ciphertexts to be publicly tested for recipient identities. Random oracles offer no protection against this. To circumvent this obstable, we need to make the rerandomization elements nonpublic, and tie them to each individual private key. In practical terms, this means that private keys must convey extra components (although not too many). The real difficulty is that each set of rerandomization components constitutes a fullfledged HIBE in its own right, which must be simulated together with its peers in the security proof (their number grows linearly with the maximal depth). Because these systems are not independent but interact with each other, we are left with the task of simulating multiple HIBE subsystems that are globally constrained by a set of linear relations. A novelty of our proof technique is a method to endow the simulator with enough degrees of freedom to reduce a system of unknown keys to a single instance of the presumed hard problem. A notable feature of our construction is that it can be implemented using all known instantiations of the bilinear pairing (whether symmetric or asymmetric, with our without a computable or 2 invertible homomorphism, etc.). To cover all grounds, we describe both a symmetric IBE version for simplicitly, and a fully general asymmetric HIBE without homomorphisms for generality. Related Work The concept of identitybased encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The BonehFranklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selectiveID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen The notion of hierarchical identitybased encryption was first defined by Horwitz and Lynn [4]. Applications In this section we discuss various applications of our fully anonymous HIBE system. The main applications can be split into several broad categories. 3 Fully Private Communication. The first compelling application of anonymous IBE is for fully private communication. Bellare et al. [4] argue that public key encryption systems that have the "key privacy" property can be used for anonymous communication: for example, if one wishes to hide the identity of a recipient one can encrypt a ciphertext with an anonymous IBE system and post it on a public bulletin board. By the anonymity property, the ciphertext will betray neither sender nor recipient identity, and since the bulletin board is public, this method will also be resistant to traffic analysis. To compound this notion of key privacy, identitybased encryption is particularly suited for untraceable anonymous communication, since, contrarily to publickey infrastructures, the sender does not even need to query a directory for the public key of the recipient. For this reason, anonymous IBE provides a very convincing solution to the problem of secure anonymous communication, as it makes it harder to conduct traffic analysis attack on directory lookups. Search on Encrypted Data. The second main application of anonymous (H)IBE is for encrypted search. As mentioned earlier, anonymous IBE and HIBE give several application in the Publickey Encryption with Keyword Search (PEKS) domain, proposed by Boneh et al. [10], and further discussed by Abdalla et al. As the last applications we mention, forwardsecure publickey encryption Background Recall that a pairing is an efficiently computable [23], nondegenerate function, e : G ×Ĝ → G T , with the bilinearity property that e(g r ,ĝ s ) = e(g,ĝ) r s . Here, G,Ĝ, and G T are all multiplicative groups of prime order p, respectively generated by g,ĝ, and e(g,ĝ). We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $ ← Gen(1 Σ ) where log 2 (p) = Θ(Σ). We write Z p = Z/pZ for the set of residues modp and Z × p = Z p \ {0} for its multiplicative group. Assumptions Since bilinear groups first appeared in cryptography half a decade ago 4 Informally, we say that an assumption is mild if it is tautological in the generic group model Decision BDH: The Bilinear DH assumption was first used by Joux Decision Linear: The Linear assumption was first proposed by Boneh, Boyen, and Shacham for group signatures "Hard" means algorithmically nonsolvable with probability 1 /2 + Ω(poly(Σ) −1 ) in time O(poly(Σ)) for efficiently generated random "bilinear instances" These assumptions allow but not require the groups G andĜ to be distinct, and similarly we make no representation one way or the other regarding the existence of computable homomorphisms between G andĜ, in either direction. This is the most general formulation. It has two main benefits: (1) since it comes with fewer restrictions, it is potentially more robust and increases our confidence in the assumptions we make; and (2) it gives us the flexibility to implement the bilinear pairing on a broad variety of algebraic curves with attractive computational characteristics [2], whereas symmetric pairings tend to be confined to supersingular curves, to name this one distinction. Note that if we let G =Ĝ and g =ĝ, our assumptions regain their familiar "symmetric" forms: As a rule of thumb, the remainder of this paper may be read in the context of symmetric pairings, simply by dropping all "hats" (ˆ) in the notation. Also note that DLinear trivially implies DBDH. Models We briefly precise the security notions that are implied by the concept of Anonymous IBE or HIBE. We omit the formal definitions, which may be found in the literature Confidentiality: This is the usual security notion of semantic security for encryption. It means that no nontrivial information about the message can be feasibly gleaned from the ciphertext. Anonymity: Recipient anonymity is the property that the adversary be unable to distinguish the encryption of a chosen message for a first chosen identity from the encryption of the same message for a second chosen identity. Equivalently, the adversary must be unable to decide whether a ciphertext was encrypted for a chosen identity, or for a random identity. 5 Intuition Before we present our scheme we first explain why it is difficult to implement anonymous IBE without random oracles, as well as any form of anonymous HIBE even in the random oracle model. We also give some intuition behind our solution. Recall that in the basic BonehFranklin IBE system where H is a random oracle, r is a random exponent, and g and Q are public system parameters. A crucial observation is that the one element of the ciphertext in the bilinear group G, namely, g r , is just a random element that gives no information about the identity of the recipient. The reason why only one element in G is needed is because private keys in the BonehFranklin scheme are deterministic there will be no randomness in the private key to cancel out. Since the proof of semantic security is based on the fact that C 2 is indistinguishable from random without the private key for ID, it follows that the scheme is also anonymous since C 2 is the only part of the ciphertext on which the recipient identity has any bearing. More recently, there have been a number of IBE schemes proven secure without random oracles, such as BTE from where r is chosen by the encryptor and g, g 1 , g 3 , and e(g 1 ,ĝ 2 ) are public system parameters. Notice, there are now two elements in G, and between them there is enough redundancy to determine whether a ciphertext was intended for a given identity Id, simply by testing whether the tuple [g, g Id 1 g 3 , C 1 , C 2 ] is DiffieHellman, using the bilinear map, We see that the extra ciphertext components which are seemingly necessary in IBE schemes without random oracles, in fact contribute to leaking the identity of the intended recipient of a ciphertext. A similar argument can be made for why existing HIBE schemes are not anonymous, regardless of their lack of use of random oracles. Indeed, all known HIBE schemes, including the GentrySilverberg system in the random oracle model, rely on randomization in order to properly delegate private keys down the hierarchy in a collusionresistant manner. Because of this, we similarly have the property that the extra components needed to cancel the randomization will also provide a test for the addressee's identity. Since having randomized keys seems to be fundamental to designing (H)IBE systems without random oracles, we aim to design a system where the necessary extra information will be hidden to a computationally bounded adversary. Thus, even though we cannot prevent the ciphertext from containing information about the recipient, we can design our system such that this information cannot be easily tested from the public parameters and ciphertext alone. A Primer : Anonymous IBE We start by describing an Anonymous IBE scheme that is semantically secure against selectiveID chosen plaintext attacks. This construction will illustrate our basic technique of "splitting" the bilinear group elements into two pieces to protect against the attacks described in the previous section. In the next section we will describe our full Anonymous HIBE scheme, as well as mention how to achieve adaptiveID and chosen ciphertext security. For simplicity, and also to show that we get anonymity even when using symmetric pairings, we describe the IBE system (and the IBE system only) in the special case where G =Ĝ: Setup The setup algorithm chooses a random generator g ∈ G, random group elements g 0 , g 1 ∈ G, and random exponents ω, t 1 , t 2 , t 3 , t 4 ∈ Z p . It keeps these exponents as the master key, Msk. The corresponding system parameters are published as: Extract(Msk, Id) To issue a private key for identity Id, the key extraction authority chooses two random exponents r 1 , r 2 ∈ Z p , and computes the private key, , as: Encrypt(Pub, Id, M ) Encrypting a message Msg ∈ G T for an identity Id ∈ Z × p works as follows. The algorithm chooses random exponents s, s 1 , s 2 ∈ Z p , and creates the ciphertext as: Decrypt(Pvk Id , C) The decryption algorithm attempts to decrypt a ciphertext CT by computing: Proving Security. We prove security using a hybrid experiment. Let [C , C 0 , C 1 , C 2 , C 3 , C 4 ] denote the challenge ciphertext given to the adversary during a real attack. Additionally, let R be a random element of G T , and R , R be random elements of G. We define the following hybrid games which differ on what challenge ciphertext is given by the simulator to the adversary: We remark that the challenge ciphertext in Γ 3 leaks no information about the identity since it is composed of six random group elements, whereas in Γ 0 the challenge is well formed. We show that the transitions from Γ 0 to Γ 1 to Γ 2 to Γ 3 are all computationally indistinguishable. Lemma 1 (semantic security). Under the (t, )Decision BDH assumption, there is no adversary running in time t that distinguishes between the games Γ 0 and Γ 1 with advantage greater than . 7 Proof. The proof from this lemma essentially follows from the security of the BonehBoyen selectiveID scheme. Suppose there is an adversary that can distingiush between game Γ 0 and Γ 1 with advantage . Then we build a simulator that plays the Decison BDH game with advantage . The simulator receives a DBDH challenge [g, g z 1 , g z 2 , g z 3 , Z] where Z is either e(g, g) z 1 z 2 z 3 or a random element of G T with equal probability. The game proceeds as follows: Init: The adversary announces the identity Id * it wants to be challenged upon. Setup: The simulator chooses random exponents t 1 , t 2 , t 3 , t 4 , y ∈ Z p . It retains the generator g, and sets g 0 = (g z 1 ) −Id g y and g 1 = g z 1 . The public parameters are published as: Note that this implies that ω = z 1 z 2 . Phase 1: Suppose the adversary requests a key for identity Id = Id * . The simulator picks random exponents r 1 , r 2 ∈ Z p , and issues a private key as: This is a well formed secret key for random exponentsr 1 = r 1 − z 2 /(Id − Id * ) andr 2 = r 2 . Challenge: Upon receiving a message Msg from the adversary, the simulator chooses s 1 , s 2 ∈ Z p , and outputs the challenge ciphertext as: We can let s = z 3 and see that if Z = e(g, g) z 1 z 2 z 3 the simulator is playing game Γ 0 with the adversary, otherwise the simulator is playing game Γ 1 with the adversary. Phase 2: The simulator answers the queries in the same way as Phase 1. Guess: The simulator outputs a guess γ, which the simulator forwards as its own guess for the DBDH game. Since the simulator plays game Γ 0 if and only the given DBDH instance was well formed, the simulator's advantage in the DBDH game is exactly . Lemma 2 (anonymity, part 1). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 1 and Γ 2 with advantage greater than . Proof. Suppose the existence of an adversary A that distinguishes between the two games with advantage . Then we construct a simulator that wins the Decision Linear game as follows. The simulator takes in a DLinear instance [g, g z 1 , g z 2 , g z 1 z 3 , g z 2 z 4 , Z], where Z is either g z 3 +z 4 or random in G with equal probability. For convenience, we rewrite this as [g, g z 1 , g z 2 , g z 1 z 3 , Y, g s ] for s such that g s = Z, and consider the task of deciding whether Y = g z 2 (s−z 3 ) which is equivalent. The simulator plays the game in the following stages. Init: The adversary A gives the simulator the challenge identity Id * . Setup: The simulator first chooses random exponents α, y, t 3 , t 4 , ω. It lets g in the simulation be as in the instance, and sets v 1 = g z 2 and v 2 = g z 1 . The public key is published as: 8 If we pose t 1 = z 1 and t 2 = z 2 , we note that the public key is distributed as in the real scheme. Phase 1: To answer a private key extraction query for an identity Id = Id * , the simulator chooses random exponents r 1 , r 2 ∈ Z p , and outputs a key given by: If, instead of r 1 and r 2 , we consider this pair of uniform random exponents, then we see that the private key is well formed, since it can be rewritten as: −r 2 t 3 . Challenge: The simulator gets from the adversary a message M which it can discard, and responds with a challenge ciphertext for the identity Id * . Pose s 1 = z 3 . To proceed, the simulator picks a random exponent s 2 ∈ Z p and a random element R ∈ G T , and outputs the ciphertext as: 2 ; all parts of the challenge but C are thus well formed, and the simulator behaved as in game Γ 1 . If instead Y is independent of z 1 , z 2 , s, s 1 , s 2 , which happens when Z is random, then the simulator responded as in game Γ 2 . Phase 2: The simulator answer the query in the same way as Phase 1. Output: The adversary outputs a bit γ to guess which hybrid game the simulator has been playing. To conclude, the simulator forwards γ as its own answer in the DecisionLinear game. By the simulation setup the advantage of the simulator will be exactly that of the adversary. Lemma 3 (anonymity, part 2). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 2 and Γ 3 with advantage greater than . Proof. This argument follows almost identically to that of Lemma 2, except where the simulation is done over the parameters v 3 and v 4 in place of v 1 and v 2 . The other difference is that the g ω term that appeared in d 1 , d 2 without interfering with the simulation, does not even appear in d 3 , d 4 . 5 The Scheme : Anonymous HIBE We now describe our full Anonymous HIBE scheme without random oracles. Anonymity is provided by the splitting technique and hybrid proof introduced in the previous section. In addition, to thwart the multiple avenues for user collusion enabled by the hierarchy, the keys are rerandomized between all siblings and all children. Roughly speaking, this is done by using several parallel HIBE systems, which are recombined at random every time a new private key is issued. In the proof of security, this extra complication is handled by a "multisecret simulator", that is able to simulate multiple interacting HIBE systems under a set of constraints. This is an information theoretic proof that sits on top of the hybrid argument, which is computational. For the most part, we focus on security against selectiveidentity, chosen plaintext attacks. In Appendix A we mention how to secure the scheme against adaptiveID and CCA2 adversaries. 9 Setup(1 Σ , D) To generate the public system parameters and the corresponding master secret key, given a security parameter Σ ∈ N in unary, and the hierarchy's maximum depth D ∈ N, the setup algorithm first generates a bilinear instance 1. Select 7 + 5 D + D 2 random integers modulo p (some of them forcibly nonzero): 2. Publish G and the system parameters Pub ∈ G T × G 2 (1+D) (2+D) given by: 3. Retain the master secret key Msk ∈Ĝ 1+(3+D) (2+D) comprising the elements: Extract(Pub, Msk, Id) To extract a private key for an identity Id where L ∈ {1, . . . , D} and by convention I 0 = 1, using the master key Msk: Compute the key's decryption portion: 3. The rerandomization part: Pvk And then the delegation components: The full private key is issued as the concatenation: Pvk Id = Pvk Each row on the left can be viewed as a private key in an independent HIBE system (with generalized linear splitting as in Section 4). The main difference is that only Pvk where L ∈ {2, . . . , D} and I 0 = 1, given a private key of the parent. Let that be 2. Compute for the decryption portion: . 3. For rerandomization: Pvk . And then for delegation: The subordinate private key is the concatenation: Derive and Extract create private keys with the same structure and distribution. The derivation process in Derive merges two distinct operations: delegation and rerandomization. Rerandomization occurs first, conceptually speaking. Very simply, we take a random linear combination of all the rows of the big array on page 10. The first row is treated a bit differently: it does not intervene into any other row's rerandomization, and its own coefficient is set to 1. Delegation targets the leftmost elements of Pvk We now turn to the encryption and decryption methods. 11 Encrypt(Pub, Id, Msg) To encrypt a message encoded as a group element Msg ∈ G T for a given identity Id = [I 0 (= 1), I 1 , . . . , I L ] at level L, the encryption algorithm proceeds as follows: ∈ G T × G 5+2 D . Encryption is very cheap with a bit of caching since the exponentiations bases never change. Decrypt(Pub, Pvk Id , CT) To decrypt a ciphertext CT, using (the decryption portion of) a private key Pvk (a) , k n,(b) ] n=0,...,1+D ] , the decryption algorithm outputs: Msg ← E · e(c 0 , k 0 ) 1+D n=0 e(c n,(a) , k n,(a) ) e(c n,(b) , k n,(b) ) ∈ G T . All the pairings in the product can be computed at once using the "multipairing" trick which is similar to multiexponentiation. One can also exploit the fact that all the k ··· are fixed for a given recipient to perform advantageous precomputations The following theorems show that extracted and delegated private keys are identically distributed, and that extraction, encryption, and decryption, are consistent. Proofs are given in Appendix B. Theorem 4. Private keys calculated by Derive and Extract have the same distribution. Theorem 5. The Anonymous HIBE scheme is internally consistent. Security We state the security theorems for the AHIBE scheme. The reductions are essentially tight and hold in the standard model. Informal arguments and full proofs may be found in Appendix C. First, we show semantic security against a selectiveidentity, chosen plaintext adversary. Theorem 6 (Confidentiality). Suppose that G upholds the (τ, )Decision BDH assumption. Then, against a selectiveID adversary that makes at most q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )INDsIDCPA secure in G withτ ≈ τ and˜ = −(3 + D) q/p. The next theorem shows that the scheme is recipient anonymous under a selective identity, chosen plaintext attack. (Sender anonymity is a trivial property of unauthenticated encryption.) Theorem 7 (Anonymity). Suppose that G upholds the (τ, )Decision Linear assumption. Then, against a selectiveID adversary that makes q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )ANONsIDCPA secure in G withτ ≈ τ and˜ = − (2 + D) (7 + 3 D) q/p. Active Attacks. We mention how to secure the scheme against active adversaries in the adaptive identity (ID) and the adaptive chosen ciphertext (CCA2) attack models in Appendix A. 12 Conclusion We presented a provably anonymous IBE and HIBE scheme without random oracles, which resolves an open question from CRYPTO 2005 regarding the existence of anonymous HIBE systems. Our constructions make use of a novel "linearsplitting" technique which prevents an attacker from testing the intended recipient of ciphertexts yet allows for the use of randomized private IBE keys. In the hierarchical case, we add to this a new "multisimulation" proof device that permits multiple HIBE subsystems to concurrently rerandomize each other. Security is based solely on the Linear assumption in bilinear groups. Our basic scheme is very efficient, within a factor two of (nonanonymous) BonehBoyen, and much faster than BonehFranklin encryption. The full hierarchical scheme remains practical with its quadratic private key size, and its linear ciphertext size, encryption time, and decryption time, as functions of the depth of the hierarchy.
Multidimension range query over encrypted data
 In IEEE Symposium on Security and Privacy
, 2007
"... encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before su ..."
Abstract

Cited by 112 (5 self)
 Add to MetaCart
encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before submitting them to an untrusted repository. When network intrusions are suspected, an authority can release a key to an auditor, allowing the auditor to decrypt flows whose attributes (e.g., source and destination addresses, port numbers, etc.) fall within specific ranges. However, the privacy of all irrelevant flows are still preserved. We formally define the security for MRQED and prove the security of our construction under the decision bilinear DiffieHellman and decision linear assumptions in certain bilinear groups. We study the practical performance of our construction in the context of network audit logs. Apart from network audit logs, our scheme also has interesting applications for financial audit logs, medical privacy, untrusted remote storage, etc. In particular, we show that MRQED implies a solution to its dual problem, which enables investors to trade stocks through a broker in a privacypreserving manner. 1
Universal Reencryption for Mixnets
 IN PROCEEDINGS OF THE 2004 RSA CONFERENCE, CRYPTOGRAPHER’S TRACK
, 2002
"... We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be don ..."
Abstract

Cited by 112 (10 self)
 Add to MetaCart
We introduce a new cryptographic technique that we call universal reencryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of the public key corresponding to a given ciphertext. In contrast, universal reencryption can be done without knowledge of public keys. We propose an asymmetric cryptosystem with universal reencryption that is half as efficient as standard ElGamal in terms of computation and storage. While
Building an Encrypted and Searchable Audit Log
 In The 11th Annual Network and Distributed System Security Symposium
, 2004
"... Audit logs are an important part of any secure system, and they need to be carefully designed in order to give a faithful representation of past system activity. This is especially true in the presence of adversaries who might want to tamper with the audit logs. While it is important that auditors c ..."
Abstract

Cited by 99 (2 self)
 Add to MetaCart
(Show Context)
Audit logs are an important part of any secure system, and they need to be carefully designed in order to give a faithful representation of past system activity. This is especially true in the presence of adversaries who might want to tamper with the audit logs. While it is important that auditors can inspect audit logs to assess past system activity, the content of an audit log may contain sensitive information, and should therefore be protected from unauthorized parties.