Results 1  10
of
206
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1748 (28 self)
 Add to MetaCart
(Show Context)
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
Ciphertextpolicy attributebased encryption
 In Proceedings of the IEEE Symposium on Security and Privacy (To Appear
, 2007
"... ..."
Hierarchical IDBased Cryptography
, 2002
"... We present hierarchical identitybased encryption schemes and signature schemes that have total collusion resistance on an arbitrary number of levels and that have chosen ciphertext security in the random oracle model assuming the difficulty of the Bilinear DiffieHellman problem. ..."
Abstract

Cited by 257 (3 self)
 Add to MetaCart
We present hierarchical identitybased encryption schemes and signature schemes that have total collusion resistance on an arbitrary number of levels and that have chosen ciphertext security in the random oracle model assuming the difficulty of the Bilinear DiffieHellman problem.
Revocation and Tracing Schemes for Stateless Receivers
, 2001
"... Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their ..."
Abstract

Cited by 250 (5 self)
 Add to MetaCart
Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the SubsetCover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit SubsetCover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any SubsetCover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
On the security of joint signature and encryption
, 2002
"... We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of t ..."
Abstract

Cited by 150 (6 self)
 Add to MetaCart
(Show Context)
We formally study the notion of a joint signature and encryption in the publickey setting. We refer to this primitive as signcryption, adapting the terminology of [35]. We present two definitions for the security of signcryption depending on whether the adversary is an outsider or a legal user of the system. We then examine generic sequential composition methods of building signcryption from a signature and encryption scheme. Contrary to what recent results in the symmetric setting [5, 22] might lead one to expect, we show that classical “encryptthensign” (EtS) and “signthenencrypt” (StE) methods are both secure composition methods in the publickey setting. We also present a new composition method which we call “committhenencryptandsign” (CtE&S). Unlike the generic sequential composition methods, CtE&S applies the expensive signature and encryption operations in parallel, which could imply a gain in efficiency over the StE and EtS schemes. We also show that the new CtE&S method elegantly combines with the recent “hashsignswitch” technique of [30], leading to efficient online/offline signcryption. Finally and of independent interest, we discuss the definitional inadequacy of the standard notion of chosen ciphertext (CCA2) security. We suggest a natural and very slight relaxation of CCA2security, which we call generalized CCA2ecurity (gCCA2). We show that gCCA2security suffices for all known uses of CCA2secure encryption, while no longer suffering from the definitional shortcomings of the latter.
Towards hierarchical identitybased encryption
 In Proceedings of Asiacrypt 2002, LNCS 2501
, 2002
"... Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated w ..."
Abstract

Cited by 141 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the concept of hierarchical identitybased encryption (HIBE) schemes, give precise definitions of their security and mention some applications. A twolevel HIBE (2HIBE) scheme consists of a root private key generator (PKG), domain PKGs and users, all of which are associated with primitive IDs (PIDs) that are arbitrary strings. A user’s public key consists of their PID and their domain’s PID (in whole called an address). In a regular IBE (which corresponds to a 1HIBE) scheme, there is only one PKG that distributes private keys to each user (whose public keys are their PID). In a 2HIBE, users retrieve their private key from their domain PKG. Domain PKGs can compute the private key of any user in their domain, provided they have previously requested their domain secret key from the root PKG (who possesses a master secret). We can go beyond two levels by adding subdomains, subsubdomains, and so on. We present a twolevel system with total collusion resistance at the upper (domain) level and partial collusion resistance at the lower (user) level, which has chosenciphertext security in the randomoracle model. 1
A Proposal for an ISO Standard for Public Key Encryption (version 2.0)
, 2001
"... This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed. ..."
Abstract

Cited by 131 (3 self)
 Add to MetaCart
(Show Context)
This document should be viewed less as a first draft of a standard for publickey encryption, and more as a proposal for what such a draft standard should contain. It is hoped that this proposal will serve as a basis for discussion, from which a consensus for a standard may be formed.
Squealing Euros: Privacy Protection in RFIDEnabled Banknotes
 Financial Cryptography ’03
, 2002
"... Thanks to their broad international acceptance and availability in high denominations, there is widespread concern that Euro banknotes may provide an attractive new currency for criminal transactions. ..."
Abstract

Cited by 108 (11 self)
 Add to MetaCart
Thanks to their broad international acceptance and availability in high denominations, there is widespread concern that Euro banknotes may provide an attractive new currency for criminal transactions.
Provably secure ciphertext policy ABE. Cryptology ePrint Archive Report 2007/183
, 2007
"... In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This ..."
Abstract

Cited by 99 (1 self)
 Add to MetaCart
(Show Context)
In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This provides finegrained access control on shared data in many practical settings, e.g., secure database and IP multicast. In this paper, we study CPABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear DiffieHellman (DBDH) assumption. We then apply the CanettiHaleviKatz technique to obtain a chosen ciphertext (CCA) secure extension using onetime signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme—reducing both ciphertext size and encryption/decryption time while maintaining CPA security. We conclude with a discussion of practical applications of
An Uninstantiable RandomOracleModel Scheme for a HybridEncryption Problem
"... We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption which for ..."
Abstract

Cited by 95 (4 self)
 Add to MetaCart
(Show Context)
We present a simple, natural randomoracle (RO) model scheme, for a practical goal, that is uninstantiable, meaning is proven in the RO model to meet its goal yet admits no standardmodel instantiation that meets this goal. The goal in question is INDCCApreserving asymmetric encryption which formally captures security of the most common practical usage of asymmetric encryption, namely to transport a symmetric key in such a way that symmetric encryption under the latter remains secure. The scheme is an ElGamal variant, called Hash ElGamal, that resembles numerous existing ROmodel schemes, and on the surface shows no evidence of its anomalous properties. These results extend our understanding of the gap between the standard and RO models, and bring concerns raised by previous work closer to practice by indicating that the problem of ROmodel schemes admitting no secure instantiation can arise in domains where RO schemes are commonly designed.