Results 1  10
of
386
Short Signatures without Random Oracles
, 2004
"... We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RS ..."
Abstract

Cited by 393 (11 self)
 Add to MetaCart
We describe a short signature scheme which is existentially unforgeable under a chosen message attack without using random oracles. The security of our scheme depends on a new complexity assumption we call the Strong Di#eHellman assumption. This assumption has similar properties to the Strong RSA assumption, hence the name. Strong RSA was previously used to construct signature schemes without random oracles. However, signatures generated by our scheme are much shorter and simpler than signatures from schemes based on Strong RSA.
Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
"... Abstract. Predicate encryption is a new paradigm generalizing, among other things, identitybased encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf corresponding to a predicate f can be used to decryp ..."
Abstract

Cited by 173 (23 self)
 Add to MetaCart
Abstract. Predicate encryption is a new paradigm generalizing, among other things, identitybased encryption. In a predicate encryption scheme, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SKf corresponding to a predicate f can be used to decrypt a ciphertext associated with attribute I if and only if f(I) = 1. Constructions of such schemes are currently known for relatively few classes of predicates. We construct such a scheme for predicates corresponding to the evaluation of inner products over ZN (for some large integer N). This, in turn, enables constructions in which predicates correspond to the evaluation of disjunctions, polynomials, CNF/DNF formulae, or threshold predicates (among others). Besides serving as a significant step forward in the theory of predicate encryption, our results lead to a number of applications that are interesting in their own right. 1
Efficient noninteractive proof systems for bilinear groups
 In EUROCRYPT 2008, volume 4965 of LNCS
, 2008
"... Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknow ..."
Abstract

Cited by 126 (7 self)
 Add to MetaCart
(Show Context)
Noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs have played a significant role in the theory of cryptography. However, lack of efficiency has prevented them from being used in practice. One of the roots of this inefficiency is that noninteractive zeroknowledge proofs have been constructed for general NPcomplete languages such as Circuit Satisfiability, causing an expensive blowup in the size of the statement when reducing it to a circuit. The contribution of this paper is a general methodology for constructing very simple and efficient noninteractive zeroknowledge proofs and noninteractive witnessindistinguishable proofs that work directly for groups with a bilinear map, without needing a reduction to Circuit Satisfiability. Groups with bilinear maps have enjoyed tremendous success in the field of cryptography in recent years and have been used to construct a plethora of protocols. This paper provides noninteractive witnessindistinguishable proofs and noninteractive zeroknowledge proofs that can be used in connection with these protocols. Our goal is to spread the use of noninteractive cryptographic proofs from mainly theoretical purposes to the large class of practical cryptographic protocols based on bilinear groups.
Group signatures with verifierlocal revocation
 CCS'04
, 2004
"... Group signatures have recently become important for enabling privacypreserving attestation in projects such as Microsoft’s ngscb effort (formerly Palladium). Revocation is critical to the security of such systems. We construct a short group signature scheme that supports VerifierLocal Revocation ( ..."
Abstract

Cited by 126 (3 self)
 Add to MetaCart
(Show Context)
Group signatures have recently become important for enabling privacypreserving attestation in projects such as Microsoft’s ngscb effort (formerly Palladium). Revocation is critical to the security of such systems. We construct a short group signature scheme that supports VerifierLocal Revocation (VLR). In this model, revocation messages are only sent to signature verifiers (as opposed to both signers and verifiers). Consequently there is no need to contact individual signers when some user is revoked. This model is appealing for systems providing attestation capabilities. Our signatures are as short as standard RSA signatures with comparable security. Security of our group signature (in the random oracle model) is based on the Strong DiffieHellman assumption and the Decision Linear assumption in bilinear groups. We give a precise model for VLR group signatures and discuss its implications.
Virtual Trip Lines for Distributed PrivacyPreserving Traffic Monitoring
, 2008
"... Automotive traffic monitoring using probe vehicles with Global Positioning System receivers promises significant improvements in cost, coverage, and accuracy. Current approaches, however, raise privacy concerns because they require participants to reveal their positions to an external traffic monito ..."
Abstract

Cited by 120 (28 self)
 Add to MetaCart
(Show Context)
Automotive traffic monitoring using probe vehicles with Global Positioning System receivers promises significant improvements in cost, coverage, and accuracy. Current approaches, however, raise privacy concerns because they require participants to reveal their positions to an external traffic monitoring server. To address this challenge, we propose a system based on virtual trip lines and an associated cloaking technique. Virtual trip lines are geographic markers that indicate where vehicles should provide location updates. These markers can be placed to avoid particularly privacy sensitive locations. They also allow aggregating and cloaking several location updates based on trip line identifiers, without knowing the actual geographic locations of these trip lines. Thus they facilitate the design of a distributed architecture, where no single entity has a complete knowledge of probe identities and finegrained location information. We have implemented the system with GPS
Anonymous Hierarchical IdentityBased Encryption (Without Random Oracles). In: Dwork
 CRYPTO 2006. LNCS,
, 2006
"... Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with sm ..."
Abstract

Cited by 119 (10 self)
 Add to MetaCart
(Show Context)
Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with small ciphertexts of size linear in the depth of the hierarchy. Applications include search on encrypted data, fully private communication, etc. Our results resolve two open problems pertaining to anonymous identitybased encryption, our scheme being the first to offer provable anonymity in the standard model, in addition to being the first to realize fully anonymous HIBE at all levels in the hierarchy. Introduction The cryptographic primitive of identitybased encryption allows a sender to encrypt a message for a receiver using only the receiver's identity as a public key. Recently, there has been interest in "anonymous" identitybased encryption systems, where the ciphertext does not leak the identity of the recipient. In addition to their obvious privacy benefits, anonymous IBE systems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [10] and later formalized by Abdalla et al. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin Our Results We present an Anonymous IBE and HIBE scheme without random oracles, therby solving both open problems from CRYPTO'05. Our scheme is very efficient for pure IBE, and reasonably efficient for HIBE with shallow hierarchies of practical interest. We prove it secure based solely on Boneh's et al. [9] Decision Linear assumption, which is one of the mildest useful complexity assumptions in bilinear groups. At first sight, our construction bears a superficial resemblance to Boneh and Boyen's "BB 1 " HIBE scheme [5, §4] but with at least two big differences. First, we perform "linear splittings" on various portions of the ciphertext, to thwart the trialanderror identity guessing to which other schemes fell prey. This idea gives us provable anonymity, even under symmetric pairings. Second, we use multiple parallel HIBE systems and constantly rerandomize the keys between them. This is what lets us use the linear splitting trick at all levels of the hierarchy, but also poses a technical challenge in the security reduction which mist now simulate multiple interacting HIBE systems at once. Solving this problem was the crucial step that gave us a hierarchy without destroying anonymity. Building a "flat" anonymous IBE system turns out to be reasonably straightforward using our linear splitting technique to hide the recipient identity behind some randomization. Complications arise when one tries to support hierarchical key generation. In a nutshell, to prevent collusion attacks in HIBE, "parents" must independently rerandomize the private keys they give to their "children". In all known HIBE schemes, rerandomization is enabled by a number of supplemental components in the public system parameters. Why this breaks anonymity is because the same mechanism that allows private keys to be publicly rerandomized, also allows ciphertexts to be publicly tested for recipient identities. Random oracles offer no protection against this. To circumvent this obstable, we need to make the rerandomization elements nonpublic, and tie them to each individual private key. In practical terms, this means that private keys must convey extra components (although not too many). The real difficulty is that each set of rerandomization components constitutes a fullfledged HIBE in its own right, which must be simulated together with its peers in the security proof (their number grows linearly with the maximal depth). Because these systems are not independent but interact with each other, we are left with the task of simulating multiple HIBE subsystems that are globally constrained by a set of linear relations. A novelty of our proof technique is a method to endow the simulator with enough degrees of freedom to reduce a system of unknown keys to a single instance of the presumed hard problem. A notable feature of our construction is that it can be implemented using all known instantiations of the bilinear pairing (whether symmetric or asymmetric, with our without a computable or 2 invertible homomorphism, etc.). To cover all grounds, we describe both a symmetric IBE version for simplicitly, and a fully general asymmetric HIBE without homomorphisms for generality. Related Work The concept of identitybased encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The BonehFranklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selectiveID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen The notion of hierarchical identitybased encryption was first defined by Horwitz and Lynn [4]. Applications In this section we discuss various applications of our fully anonymous HIBE system. The main applications can be split into several broad categories. 3 Fully Private Communication. The first compelling application of anonymous IBE is for fully private communication. Bellare et al. [4] argue that public key encryption systems that have the "key privacy" property can be used for anonymous communication: for example, if one wishes to hide the identity of a recipient one can encrypt a ciphertext with an anonymous IBE system and post it on a public bulletin board. By the anonymity property, the ciphertext will betray neither sender nor recipient identity, and since the bulletin board is public, this method will also be resistant to traffic analysis. To compound this notion of key privacy, identitybased encryption is particularly suited for untraceable anonymous communication, since, contrarily to publickey infrastructures, the sender does not even need to query a directory for the public key of the recipient. For this reason, anonymous IBE provides a very convincing solution to the problem of secure anonymous communication, as it makes it harder to conduct traffic analysis attack on directory lookups. Search on Encrypted Data. The second main application of anonymous (H)IBE is for encrypted search. As mentioned earlier, anonymous IBE and HIBE give several application in the Publickey Encryption with Keyword Search (PEKS) domain, proposed by Boneh et al. [10], and further discussed by Abdalla et al. As the last applications we mention, forwardsecure publickey encryption Background Recall that a pairing is an efficiently computable [23], nondegenerate function, e : G ×Ĝ → G T , with the bilinearity property that e(g r ,ĝ s ) = e(g,ĝ) r s . Here, G,Ĝ, and G T are all multiplicative groups of prime order p, respectively generated by g,ĝ, and e(g,ĝ). We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $ ← Gen(1 Σ ) where log 2 (p) = Θ(Σ). We write Z p = Z/pZ for the set of residues modp and Z × p = Z p \ {0} for its multiplicative group. Assumptions Since bilinear groups first appeared in cryptography half a decade ago 4 Informally, we say that an assumption is mild if it is tautological in the generic group model Decision BDH: The Bilinear DH assumption was first used by Joux Decision Linear: The Linear assumption was first proposed by Boneh, Boyen, and Shacham for group signatures "Hard" means algorithmically nonsolvable with probability 1 /2 + Ω(poly(Σ) −1 ) in time O(poly(Σ)) for efficiently generated random "bilinear instances" These assumptions allow but not require the groups G andĜ to be distinct, and similarly we make no representation one way or the other regarding the existence of computable homomorphisms between G andĜ, in either direction. This is the most general formulation. It has two main benefits: (1) since it comes with fewer restrictions, it is potentially more robust and increases our confidence in the assumptions we make; and (2) it gives us the flexibility to implement the bilinear pairing on a broad variety of algebraic curves with attractive computational characteristics [2], whereas symmetric pairings tend to be confined to supersingular curves, to name this one distinction. Note that if we let G =Ĝ and g =ĝ, our assumptions regain their familiar "symmetric" forms: As a rule of thumb, the remainder of this paper may be read in the context of symmetric pairings, simply by dropping all "hats" (ˆ) in the notation. Also note that DLinear trivially implies DBDH. Models We briefly precise the security notions that are implied by the concept of Anonymous IBE or HIBE. We omit the formal definitions, which may be found in the literature Confidentiality: This is the usual security notion of semantic security for encryption. It means that no nontrivial information about the message can be feasibly gleaned from the ciphertext. Anonymity: Recipient anonymity is the property that the adversary be unable to distinguish the encryption of a chosen message for a first chosen identity from the encryption of the same message for a second chosen identity. Equivalently, the adversary must be unable to decide whether a ciphertext was encrypted for a chosen identity, or for a random identity. 5 Intuition Before we present our scheme we first explain why it is difficult to implement anonymous IBE without random oracles, as well as any form of anonymous HIBE even in the random oracle model. We also give some intuition behind our solution. Recall that in the basic BonehFranklin IBE system where H is a random oracle, r is a random exponent, and g and Q are public system parameters. A crucial observation is that the one element of the ciphertext in the bilinear group G, namely, g r , is just a random element that gives no information about the identity of the recipient. The reason why only one element in G is needed is because private keys in the BonehFranklin scheme are deterministic there will be no randomness in the private key to cancel out. Since the proof of semantic security is based on the fact that C 2 is indistinguishable from random without the private key for ID, it follows that the scheme is also anonymous since C 2 is the only part of the ciphertext on which the recipient identity has any bearing. More recently, there have been a number of IBE schemes proven secure without random oracles, such as BTE from where r is chosen by the encryptor and g, g 1 , g 3 , and e(g 1 ,ĝ 2 ) are public system parameters. Notice, there are now two elements in G, and between them there is enough redundancy to determine whether a ciphertext was intended for a given identity Id, simply by testing whether the tuple [g, g Id 1 g 3 , C 1 , C 2 ] is DiffieHellman, using the bilinear map, We see that the extra ciphertext components which are seemingly necessary in IBE schemes without random oracles, in fact contribute to leaking the identity of the intended recipient of a ciphertext. A similar argument can be made for why existing HIBE schemes are not anonymous, regardless of their lack of use of random oracles. Indeed, all known HIBE schemes, including the GentrySilverberg system in the random oracle model, rely on randomization in order to properly delegate private keys down the hierarchy in a collusionresistant manner. Because of this, we similarly have the property that the extra components needed to cancel the randomization will also provide a test for the addressee's identity. Since having randomized keys seems to be fundamental to designing (H)IBE systems without random oracles, we aim to design a system where the necessary extra information will be hidden to a computationally bounded adversary. Thus, even though we cannot prevent the ciphertext from containing information about the recipient, we can design our system such that this information cannot be easily tested from the public parameters and ciphertext alone. A Primer : Anonymous IBE We start by describing an Anonymous IBE scheme that is semantically secure against selectiveID chosen plaintext attacks. This construction will illustrate our basic technique of "splitting" the bilinear group elements into two pieces to protect against the attacks described in the previous section. In the next section we will describe our full Anonymous HIBE scheme, as well as mention how to achieve adaptiveID and chosen ciphertext security. For simplicity, and also to show that we get anonymity even when using symmetric pairings, we describe the IBE system (and the IBE system only) in the special case where G =Ĝ: Setup The setup algorithm chooses a random generator g ∈ G, random group elements g 0 , g 1 ∈ G, and random exponents ω, t 1 , t 2 , t 3 , t 4 ∈ Z p . It keeps these exponents as the master key, Msk. The corresponding system parameters are published as: Extract(Msk, Id) To issue a private key for identity Id, the key extraction authority chooses two random exponents r 1 , r 2 ∈ Z p , and computes the private key, , as: Encrypt(Pub, Id, M ) Encrypting a message Msg ∈ G T for an identity Id ∈ Z × p works as follows. The algorithm chooses random exponents s, s 1 , s 2 ∈ Z p , and creates the ciphertext as: Decrypt(Pvk Id , C) The decryption algorithm attempts to decrypt a ciphertext CT by computing: Proving Security. We prove security using a hybrid experiment. Let [C , C 0 , C 1 , C 2 , C 3 , C 4 ] denote the challenge ciphertext given to the adversary during a real attack. Additionally, let R be a random element of G T , and R , R be random elements of G. We define the following hybrid games which differ on what challenge ciphertext is given by the simulator to the adversary: We remark that the challenge ciphertext in Γ 3 leaks no information about the identity since it is composed of six random group elements, whereas in Γ 0 the challenge is well formed. We show that the transitions from Γ 0 to Γ 1 to Γ 2 to Γ 3 are all computationally indistinguishable. Lemma 1 (semantic security). Under the (t, )Decision BDH assumption, there is no adversary running in time t that distinguishes between the games Γ 0 and Γ 1 with advantage greater than . 7 Proof. The proof from this lemma essentially follows from the security of the BonehBoyen selectiveID scheme. Suppose there is an adversary that can distingiush between game Γ 0 and Γ 1 with advantage . Then we build a simulator that plays the Decison BDH game with advantage . The simulator receives a DBDH challenge [g, g z 1 , g z 2 , g z 3 , Z] where Z is either e(g, g) z 1 z 2 z 3 or a random element of G T with equal probability. The game proceeds as follows: Init: The adversary announces the identity Id * it wants to be challenged upon. Setup: The simulator chooses random exponents t 1 , t 2 , t 3 , t 4 , y ∈ Z p . It retains the generator g, and sets g 0 = (g z 1 ) −Id g y and g 1 = g z 1 . The public parameters are published as: Note that this implies that ω = z 1 z 2 . Phase 1: Suppose the adversary requests a key for identity Id = Id * . The simulator picks random exponents r 1 , r 2 ∈ Z p , and issues a private key as: This is a well formed secret key for random exponentsr 1 = r 1 − z 2 /(Id − Id * ) andr 2 = r 2 . Challenge: Upon receiving a message Msg from the adversary, the simulator chooses s 1 , s 2 ∈ Z p , and outputs the challenge ciphertext as: We can let s = z 3 and see that if Z = e(g, g) z 1 z 2 z 3 the simulator is playing game Γ 0 with the adversary, otherwise the simulator is playing game Γ 1 with the adversary. Phase 2: The simulator answers the queries in the same way as Phase 1. Guess: The simulator outputs a guess γ, which the simulator forwards as its own guess for the DBDH game. Since the simulator plays game Γ 0 if and only the given DBDH instance was well formed, the simulator's advantage in the DBDH game is exactly . Lemma 2 (anonymity, part 1). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 1 and Γ 2 with advantage greater than . Proof. Suppose the existence of an adversary A that distinguishes between the two games with advantage . Then we construct a simulator that wins the Decision Linear game as follows. The simulator takes in a DLinear instance [g, g z 1 , g z 2 , g z 1 z 3 , g z 2 z 4 , Z], where Z is either g z 3 +z 4 or random in G with equal probability. For convenience, we rewrite this as [g, g z 1 , g z 2 , g z 1 z 3 , Y, g s ] for s such that g s = Z, and consider the task of deciding whether Y = g z 2 (s−z 3 ) which is equivalent. The simulator plays the game in the following stages. Init: The adversary A gives the simulator the challenge identity Id * . Setup: The simulator first chooses random exponents α, y, t 3 , t 4 , ω. It lets g in the simulation be as in the instance, and sets v 1 = g z 2 and v 2 = g z 1 . The public key is published as: 8 If we pose t 1 = z 1 and t 2 = z 2 , we note that the public key is distributed as in the real scheme. Phase 1: To answer a private key extraction query for an identity Id = Id * , the simulator chooses random exponents r 1 , r 2 ∈ Z p , and outputs a key given by: If, instead of r 1 and r 2 , we consider this pair of uniform random exponents, then we see that the private key is well formed, since it can be rewritten as: −r 2 t 3 . Challenge: The simulator gets from the adversary a message M which it can discard, and responds with a challenge ciphertext for the identity Id * . Pose s 1 = z 3 . To proceed, the simulator picks a random exponent s 2 ∈ Z p and a random element R ∈ G T , and outputs the ciphertext as: 2 ; all parts of the challenge but C are thus well formed, and the simulator behaved as in game Γ 1 . If instead Y is independent of z 1 , z 2 , s, s 1 , s 2 , which happens when Z is random, then the simulator responded as in game Γ 2 . Phase 2: The simulator answer the query in the same way as Phase 1. Output: The adversary outputs a bit γ to guess which hybrid game the simulator has been playing. To conclude, the simulator forwards γ as its own answer in the DecisionLinear game. By the simulation setup the advantage of the simulator will be exactly that of the adversary. Lemma 3 (anonymity, part 2). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 2 and Γ 3 with advantage greater than . Proof. This argument follows almost identically to that of Lemma 2, except where the simulation is done over the parameters v 3 and v 4 in place of v 1 and v 2 . The other difference is that the g ω term that appeared in d 1 , d 2 without interfering with the simulation, does not even appear in d 3 , d 4 . 5 The Scheme : Anonymous HIBE We now describe our full Anonymous HIBE scheme without random oracles. Anonymity is provided by the splitting technique and hybrid proof introduced in the previous section. In addition, to thwart the multiple avenues for user collusion enabled by the hierarchy, the keys are rerandomized between all siblings and all children. Roughly speaking, this is done by using several parallel HIBE systems, which are recombined at random every time a new private key is issued. In the proof of security, this extra complication is handled by a "multisecret simulator", that is able to simulate multiple interacting HIBE systems under a set of constraints. This is an information theoretic proof that sits on top of the hybrid argument, which is computational. For the most part, we focus on security against selectiveidentity, chosen plaintext attacks. In Appendix A we mention how to secure the scheme against adaptiveID and CCA2 adversaries. 9 Setup(1 Σ , D) To generate the public system parameters and the corresponding master secret key, given a security parameter Σ ∈ N in unary, and the hierarchy's maximum depth D ∈ N, the setup algorithm first generates a bilinear instance 1. Select 7 + 5 D + D 2 random integers modulo p (some of them forcibly nonzero): 2. Publish G and the system parameters Pub ∈ G T × G 2 (1+D) (2+D) given by: 3. Retain the master secret key Msk ∈Ĝ 1+(3+D) (2+D) comprising the elements: Extract(Pub, Msk, Id) To extract a private key for an identity Id where L ∈ {1, . . . , D} and by convention I 0 = 1, using the master key Msk: Compute the key's decryption portion: 3. The rerandomization part: Pvk And then the delegation components: The full private key is issued as the concatenation: Pvk Id = Pvk Each row on the left can be viewed as a private key in an independent HIBE system (with generalized linear splitting as in Section 4). The main difference is that only Pvk where L ∈ {2, . . . , D} and I 0 = 1, given a private key of the parent. Let that be 2. Compute for the decryption portion: . 3. For rerandomization: Pvk . And then for delegation: The subordinate private key is the concatenation: Derive and Extract create private keys with the same structure and distribution. The derivation process in Derive merges two distinct operations: delegation and rerandomization. Rerandomization occurs first, conceptually speaking. Very simply, we take a random linear combination of all the rows of the big array on page 10. The first row is treated a bit differently: it does not intervene into any other row's rerandomization, and its own coefficient is set to 1. Delegation targets the leftmost elements of Pvk We now turn to the encryption and decryption methods. 11 Encrypt(Pub, Id, Msg) To encrypt a message encoded as a group element Msg ∈ G T for a given identity Id = [I 0 (= 1), I 1 , . . . , I L ] at level L, the encryption algorithm proceeds as follows: ∈ G T × G 5+2 D . Encryption is very cheap with a bit of caching since the exponentiations bases never change. Decrypt(Pub, Pvk Id , CT) To decrypt a ciphertext CT, using (the decryption portion of) a private key Pvk (a) , k n,(b) ] n=0,...,1+D ] , the decryption algorithm outputs: Msg ← E · e(c 0 , k 0 ) 1+D n=0 e(c n,(a) , k n,(a) ) e(c n,(b) , k n,(b) ) ∈ G T . All the pairings in the product can be computed at once using the "multipairing" trick which is similar to multiexponentiation. One can also exploit the fact that all the k ··· are fixed for a given recipient to perform advantageous precomputations The following theorems show that extracted and delegated private keys are identically distributed, and that extraction, encryption, and decryption, are consistent. Proofs are given in Appendix B. Theorem 4. Private keys calculated by Derive and Extract have the same distribution. Theorem 5. The Anonymous HIBE scheme is internally consistent. Security We state the security theorems for the AHIBE scheme. The reductions are essentially tight and hold in the standard model. Informal arguments and full proofs may be found in Appendix C. First, we show semantic security against a selectiveidentity, chosen plaintext adversary. Theorem 6 (Confidentiality). Suppose that G upholds the (τ, )Decision BDH assumption. Then, against a selectiveID adversary that makes at most q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )INDsIDCPA secure in G withτ ≈ τ and˜ = −(3 + D) q/p. The next theorem shows that the scheme is recipient anonymous under a selective identity, chosen plaintext attack. (Sender anonymity is a trivial property of unauthenticated encryption.) Theorem 7 (Anonymity). Suppose that G upholds the (τ, )Decision Linear assumption. Then, against a selectiveID adversary that makes q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )ANONsIDCPA secure in G withτ ≈ τ and˜ = − (2 + D) (7 + 3 D) q/p. Active Attacks. We mention how to secure the scheme against active adversaries in the adaptive identity (ID) and the adaptive chosen ciphertext (CCA2) attack models in Appendix A. 12 Conclusion We presented a provably anonymous IBE and HIBE scheme without random oracles, which resolves an open question from CRYPTO 2005 regarding the existence of anonymous HIBE systems. Our constructions make use of a novel "linearsplitting" technique which prevents an attacker from testing the intended recipient of ciphertexts yet allows for the use of randomized private IBE keys. In the hierarchical case, we add to this a new "multisimulation" proof device that permits multiple HIBE subsystems to concurrently rerandomize each other. Security is based solely on the Linear assumption in bilinear groups. Our basic scheme is very efficient, within a factor two of (nonanonymous) BonehBoyen, and much faster than BonehFranklin encryption. The full hierarchical scheme remains practical with its quadratic private key size, and its linear ciphertext size, encryption time, and decryption time, as functions of the depth of the hierarchy.
Multidimension range query over encrypted data
 In IEEE Symposium on Security and Privacy
, 2007
"... encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before su ..."
Abstract

Cited by 112 (5 self)
 Add to MetaCart
(Show Context)
encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before submitting them to an untrusted repository. When network intrusions are suspected, an authority can release a key to an auditor, allowing the auditor to decrypt flows whose attributes (e.g., source and destination addresses, port numbers, etc.) fall within specific ranges. However, the privacy of all irrelevant flows are still preserved. We formally define the security for MRQED and prove the security of our construction under the decision bilinear DiffieHellman and decision linear assumptions in certain bilinear groups. We study the practical performance of our construction in the context of network audit logs. Apart from network audit logs, our scheme also has interesting applications for financial audit logs, medical privacy, untrusted remote storage, etc. In particular, we show that MRQED implies a solution to its dual problem, which enables investors to trade stocks through a broker in a privacypreserving manner. 1
Pairings for Cryptographers
 IN PREPARATION
, 2006
"... Many research papers in pairing based cryptography treat pairings as a "black box". These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pai ..."
Abstract

Cited by 104 (7 self)
 Add to MetaCart
(Show Context)
Many research papers in pairing based cryptography treat pairings as a "black box". These papers build cryptographic schemes making use of various properties of pairings. If this approach is taken, then it is easy for authors to make invalid assumptions concerning the properties of pairings. The cryptographic schemes developed may not be realizable in practice, or may not be as e#cient as the authors assume.
Pairingbased Cryptography at High Security Levels
 Proceedings of Cryptography and Coding 2005, volume 3796 of LNCS
, 2005
"... Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the secur ..."
Abstract

Cited by 90 (3 self)
 Add to MetaCart
(Show Context)
Abstract. In recent years cryptographic protocols based on the Weil and Tate pairings on elliptic curves have attracted much attention. A notable success in this area was the elegant solution by Boneh and Franklin [7] of the problem of efficient identitybased encryption. At the same time, the security standards for public key cryptosystems are expected to increase, so that in the future they will be capable of providing security equivalent to 128, 192, or 256bit AES keys. In this paper we examine the implications of heightened security needs for pairingbased cryptosystems. We first describe three different reasons why highsecurity users might have concerns about the longterm viability of these systems. However, in our view none of the risks inherent in pairingbased systems are sufficiently serious to warrant pulling them from the shelves. We next discuss two families of elliptic curves E for use in pairingbased cryptosystems. The first has the property that the pairing takes values in the prime field Fp over which the curve is defined; the second family consists of supersingular curves with embedding degree k = 2. Finally, we examine the efficiency of the Weil pairing as opposed to the Tate pairing and compare a range of choices of embedding degree k, including k = 1 and k = 24. Let E be the elliptic curve 1.