Results 1  10
of
52
Decentralizing AttributeBased Encryption
"... We propose a MultiAuthority AttributeBased Encryption (ABE) system. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply act as an ABE authority by creat ..."
Abstract

Cited by 64 (9 self)
 Add to MetaCart
(Show Context)
We propose a MultiAuthority AttributeBased Encryption (ABE) system. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply act as an ABE authority by creating a public key and issuing private keys to different users that reflect their attributes. A user can encrypt data in terms of any boolean formula over attributes issued from any chosen set of authorities. Finally, our system does not require any central authority. In constructing our system, our largest technical hurdle is to make it collusion resistant. Prior AttributeBased Encryption systems achieved collusion resistance when the ABE system authority “tied ” together different components (representing different attributes) of a user’s private key by randomizing the key. However, in our system each component will come from a potentially different authority, where we assume no coordination between such authorities. We create new techniques to tie key components together and prevent collusion attacks between users with different global identifiers. We prove our system secure using the recent dual system encryption methodology where the security proof works by first converting the challenge ciphertext and private keys to a semifunctional form and then arguing security. We follow a recent variant of the dual system proof technique due to Lewko and Waters and build our system using bilinear groups of composite order. We prove security under similar static assumptions to the LW paper in the random oracle model. 1
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 54 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
Sequential aggregate signatures and multisignatures without random oracles
 In EUROCRYPT, 2006. (Cited on
, 2006
"... Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature schem ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We present the first aggregate signature, the first multisignature, and the first verifiably encrypted signature provably secure without random oracles. Our constructions derive from a novel application of a recent signature scheme due to Waters. Signatures in our aggregate signature scheme are sequentially constructed, but knowledge of the order in which messages were signed is not necessary for verification. The aggregate signatures obtained are shorter than Lysyanskaya et al. sequential aggregates and can be verified more efficiently than Boneh et al. aggregates. We also consider applications to secure routing and proxy signatures. 1
H.: Randomizable proofs and delegatable anonymous credentials. Cryptology ePrint Archive, Report 2008/428
, 2008
"... Abstract. We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
Abstract. We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2L). We revise the entire approach to constructing anonymous credentials and identify randomizable zeroknowledge proof of knowledge systems as the key building block. We formally define the notion of randomizable noninteractive zeroknowledge proofs, and give the first instance of controlled rerandomization of noninteractive zeroknowledge proofs by a thirdparty. Our construction uses GrothSahai proofs (Eurocrypt 2008). 1
Tools for simulating features of composite order bilinear groups in the prime order setting
 In EUROCRYPT
, 2012
"... In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate co ..."
Abstract

Cited by 35 (4 self)
 Add to MetaCart
(Show Context)
In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate composite order schemes for which the prior techniques of Freeman were insufficient. Our techniques are typically applicable for composite order schemes relying on the canceling property and proven secure from variants of the subgroup decision assumption, and will result in prime order schemes that are proven secure from the decisional linear assumption. As an instructive example, we obtain a translation of the LewkoWaters composite order IBE scheme. This provides a close analog of the BonehBoyen IBE scheme that is proven fully secure from the decisional linear assumption. We also provide a translation of the LewkoWaters unbounded HIBE scheme. 1
Perfect nizk with adaptive soundness
 In proceedings of TCC ’07, LNCS series
, 2007
"... Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with ..."
Abstract

Cited by 35 (0 self)
 Add to MetaCart
(Show Context)
Abstract. The notion of noninteractive zeroknowledge (NIZK) is of fundamental importance in cryptography. Despite the vast attention the concept of NIZK has attracted since its introduction, one question has remained very resistant: Is it possible to construct NIZK schemes for any NPlanguage with statistical or even perfect ZK? Groth, Ostrovsky and Sahai recently answered this question in the affirmative. However, in order to achieve adaptive soundness, i.e., soundness against dishonest provers who may choose the target statement depending on the common reference string (CRS), their schemes require some restriction to be put upon the statements to be proven, e.g. an apriori bound on its size. In this work, we first present a very simple and efficient adaptivelysound perfect NIZK argument system for any NPlanguage. Besides being the first adaptivelysound statistical NIZK argument for all NP that does not pose any restriction on the statements to be proven, it enjoys a number of additional desirable properties: it allows to reuse the CRS, it can handle arithmetic circuits, and the CRS can be setup very efficiently without the need for an honest party. We then show an application of our techniques in constructing efficient NIZK schemes for proving arithmetic relations among committed secrets, whereas previous methods required expensive generic NPreductions. The security of the proposed schemes is based on a strong nonstandard assumption, an extended version of the socalled KnowledgeofExponent Assumption (KEA) over bilinear groups. We give some justification for using such an assumption by showing that the commonlyused approach for proving NIZK arguments sound does not allow for adaptivelysound statistical NIZK arguments (unless NP ⊂ P/poly). Furthermore, we show that the assumption used in our construction holds with respect to generic adversaries that do not exploit the specific representation of the group elements. We also discuss how to avoid the nonstandard assumption in a preprocessing model.
AttributeBased Signatures: Achieving AttributePrivacy and CollusionResistance
, 2008
"... We introduce a new and versatile cryptographic primitive called AttributeBased Signatures (ABS), in which a signature attests not to the identity of the individual who endorsed a message, but instead to a (possibly complex) claim regarding the attributes she posseses. ABS offers: – A strong unforge ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
We introduce a new and versatile cryptographic primitive called AttributeBased Signatures (ABS), in which a signature attests not to the identity of the individual who endorsed a message, but instead to a (possibly complex) claim regarding the attributes she posseses. ABS offers: – A strong unforgeability guarantee for the verifier, that the signature was produced by a single party whose attributes satisfy the claim being made; i.e., not by a collusion of individuals who pooled their attributes together. – A strong privacy guarantee for the signer, that the signature reveals nothing about the identity or attributes of the signer beyond what is explicitly revealed by the claim being made. We formally define the security requirements of ABS as a cryptographic primitive, and then describe an efficient ABS construction based on groups with bilinear pairings. We prove that our construction is secure in the generic group model. Finally, we illustrate several applications of this new tool; in particular, ABS fills a critical security requirement in attributebased messaging (ABM) systems. A powerful feature of our ABS construction is that unlike many other attributebased cryptographic primitives, it can be readily used in a multiauthority setting, wherein users can make claims involving combinations of attributes issued by independent and mutually distrusting authorities. 1
Efficient ring signatures without random oracles
 IN PKC07, VOLUME 4450 OF LNCS
, 2006
"... We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme se ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
(Show Context)
We describe the first efficient ring signature scheme secure, without random oracles, based on standard assumptions. Our ring signatures are based in bilinear groups. For l members of a ring our signatures consist of 2l + 2 group elements and require 2l + 3 pairings to verify. We prove our scheme secure in the strongest security model proposed by Bender, Katz, and Morselli: namely, we show our scheme to be anonymous against full key exposure and unforgeable with respect to insider corruption. A shortcoming of our approach is that all the users’ keys must be defined in the same group.
HonestVerifier Private Disjointness Testing without Random Oracles
 In Workshop on Privacy Enhahcing Technologies
, 2006
"... Abstract. We present an efficient construction of a private disjointness testing protocol that is secure against malicious provers and honestbutcurious (semihonest) verifiers, without the use of random oracles. In a completely semihonest setting, this construction implements a private intersecti ..."
Abstract

Cited by 20 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present an efficient construction of a private disjointness testing protocol that is secure against malicious provers and honestbutcurious (semihonest) verifiers, without the use of random oracles. In a completely semihonest setting, this construction implements a private intersection cardinality protocol. We formally define both private intersection cardinality and private disjointness testing protocols. We prove that our construction is secure under the subgroup decision and subgroup computation assumptions. A major advantage of our construction is that it does not require bilinear groups, random oracles, or noninteractive zero knowledge proofs. Applications of private intersection cardinality and disjointness testing protocols include privacypreserving data mining and anonymous login systems.