Citation Context

... universe. Yet the size of public parameters only grow linearly in a parameter n. The parameter n is the maximum size of the set γ we can encrypt under. 3 3 If we are willing to accept random oracles =-=[4]-=-, it is possible to overcome the size-limitation on γ by replacing the function T (X) in our construction (see Setup) by a hash function As noted in [32], having large universe allows us to apply a co...

Citation Context

...e (of the secret) for that party. Every SSS realizes some access structure that defines the sets of parties who should be able to reconstruct the secret by using their shares. Shamir [33] and Blakley =-=[6]-=- were the first to propose a construction for secret-sharing schemes where the access structure is a threshold gate. That is, if any t or more parties come together, they can reconstruct the secret by...

Citation Context

... by Sahai and Waters [32], who also presented a particular scheme that they called Fuzzy Identity-Based Encryption (FIBE). The Fuzzy-IBE scheme builds upon several ideas from IdentityBased Encryption =-=[9, 34, 17]-=-. In FIBE, an identity is viewed as a set of attributes. FIBE allows for a private key for an identity, ω, to decrypt to a ciphertext encrypted with an identity, ω ′ , if and only if the identities ω ...

Citation Context

... by Sahai and Waters [32], who also presented a particular scheme that they called Fuzzy Identity-Based Encryption (FIBE). The Fuzzy-IBE scheme builds upon several ideas from IdentityBased Encryption =-=[9, 34, 17]-=-. In FIBE, an identity is viewed as a set of attributes. FIBE allows for a private key for an identity, ω, to decrypt to a ciphertext encrypted with an identity, ω ′ , if and only if the identities ω ...

Citation Context

...security of an ABE scheme. We define a selective-set model for proving the security of the attribute based under chosen plaintext attack. This model can be seen as analogous to the selective-ID model =-=[15, 16, 7]-=- used in identity-based encryption (IBE) schemes [34, 9, 17]. Selective-Set Model for ABE Init The adversary declares the set of attributes, γ, that he wishes to be challenged upon. Setup The challeng...

Citation Context

...r access structure Y, if and only if Y is more restrictive than X. Somewhat surprisingly, we observe that our construction with the delegation property subsumes Hierarchical Identity-Based Encryption =-=[24, 20]-=- and its derivatives [1]. 1.1 Organization We begin with a discussion of related work in Section 2. Next, we give necessary background information and our definitions of security in Section 3. We then...

Citation Context

...security of an ABE scheme. We define a selective-set model for proving the security of the attribute based under chosen plaintext attack. This model can be seen as analogous to the selective-ID model =-=[15, 16, 7]-=- used in identity-based encryption (IBE) schemes [34, 9, 17]. Selective-Set Model for ABE Init The adversary declares the set of attributes, γ, that he wishes to be challenged upon. Setup The challeng...

Citation Context

...ely allow the flexibility we envision in issuing private keys for the unique needs of each user. It is worth mentioning that handling such a situation with the best known broadcast encryption schemes =-=[10, 22]-=- (which allow encrypting to an arbitrary subset of users) is quite inefficient in comparison. The efficiency of such systems is dependent on the size of the authorized user set or the number of users ...

Citation Context

...ate. That is, if any t or more parties come together, they can reconstruct the secret by using their shares; however, any lesser number of parties do not get any information about the secret. Benaloh =-=[5]-=- extended Shamir’s idea to realize any access structure that can be represented as a tree consisting of threshold gates. Other notable secretsharing schemes are [25, 14]. In SSS, one can specify a tre...

Citation Context

...l. Similar to [32], we notice that our construction can be extended to the chosen-ciphertext model by applying the technique of using simulation-sound NIZK proofs to achieve chosenciphertext security =-=[31]-=-. However, in Section 9 we describe how our delegation mechanism can be used with the techniques of Cannetti, Halevi, and Katz [16] to achieve a much more efficient CCA-2 system. 5. LARGE UNIVERSE CON...

Citation Context

...formation about the secret. Benaloh [5] extended Shamir’s idea to realize any access structure that can be represented as a tree consisting of threshold gates. Other notable secretsharing schemes are =-=[25, 14]-=-. In SSS, one can specify a tree-access structure where the interior nodes consist of AND and OR gates and the leaves consist of different parties. Any set of parties that satisfy the tree can come to...

Citation Context

...security of an ABE scheme. We define a selective-set model for proving the security of the attribute based under chosen plaintext attack. This model can be seen as analogous to the selective-ID model =-=[15, 16, 7]-=- used in identity-based encryption (IBE) schemes [34, 9, 17]. Selective-Set Model for ABE Init The adversary declares the set of attributes, γ, that he wishes to be challenged upon. Setup The challeng...

Citation Context

...r access structure Y, if and only if Y is more restrictive than X. Somewhat surprisingly, we observe that our construction with the delegation property subsumes Hierarchical Identity-Based Encryption =-=[24, 20]-=- and its derivatives [1]. 1.1 Organization We begin with a discussion of related work in Section 2. Next, we give necessary background information and our definitions of security in Section 3. We then...

Citation Context

...formation about the secret. Benaloh [5] extended Shamir’s idea to realize any access structure that can be represented as a tree consisting of threshold gates. Other notable secretsharing schemes are =-=[25, 14]-=-. In SSS, one can specify a tree-access structure where the interior nodes consist of AND and OR gates and the leaves consist of different parties. Any set of parties that satisfy the tree can come to...

Citation Context

...ely allow the flexibility we envision in issuing private keys for the unique needs of each user. It is worth mentioning that handling such a situation with the best known broadcast encryption schemes =-=[10, 22]-=- (which allow encrypting to an arbitrary subset of users) is quite inefficient in comparison. The efficiency of such systems is dependent on the size of the authorized user set or the number of users ...

Citation Context

...ucture is specified in the private key, while the ciphertexts are simply labeled with a set of descriptive attributes. 1 We note that this setting is reminiscent of secret sharing schemes (see, e.g., =-=[3]-=-). Using known techniques one can build a secret-sharing scheme that specifies that a set of parties must cooperate in order to reconstruct a secret. For example, one can specify a tree access structu...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

...it creates an new key for the access structure of “X AND CCA : VK”. By similar arguments to those in Canetti, Halevi, and Katz [16] this gives chosen-ciphertex security. We can also use other methods =-=[11, 12]-=- to achieve greater efficiency. We can realize a HIBE by simply managing the the assignment of attributes in a careful manner. For example, to encrypt to the hierarchical identity “edu:ucla” one can e...

Citation Context

... by Sahai and Waters [32], who also presented a particular scheme that they called Fuzzy Identity-Based Encryption (FIBE). The Fuzzy-IBE scheme builds upon several ideas from IdentityBased Encryption =-=[9, 34, 17]-=-. In FIBE, an identity is viewed as a set of attributes. FIBE allows for a private key for an identity, ω, to decrypt to a ciphertext encrypted with an identity, ω ′ , if and only if the identities ω ...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

...it creates an new key for the access structure of “X AND CCA : VK”. By similar arguments to those in Canetti, Halevi, and Katz [16] this gives chosen-ciphertex security. We can also use other methods =-=[11, 12]-=- to achieve greater efficiency. We can realize a HIBE by simply managing the the assignment of attributes in a careful manner. For example, to encrypt to the hierarchical identity “edu:ucla” one can e...

Citation Context

... the number of attributes. We also note that there has been other work that applied IBE techniques to access control, but did not address our central concern of resisting attacks from colluding users =-=[35, 13]-=-. 3. BACKGROUND We first give formal definitions for the security of KeyPolicy Attribute Based Encryption (KP-ABE). Then we give background information on bilinear maps and our cryptographic assumptio...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

.... Neither one of these options is particularly appealing. An important setting where these issues give rise to serious problems is audit logs (discussed in more detail in Section 7). Sahai and Waters =-=[32]-=- made some initial steps to solving this problem by introducing the concept of Attributed-Based Encryption (ABE). In an ABE system, a user’s keys and ciphertexts are labeled with sets of descriptive a...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

... structures. Our constructions support a wide variety of access structures (indeed, in its most general form, every LSSS realizable access structure), including a tree of threshold gates. Yao et. al. =-=[18]-=- show how an IBE system that encrypts to multiple hierarchical identities in a collusion-resistant manner implies a forward secure Hierarchical IBE scheme. They also note how their techniques for resi...

Citation Context

... the number of attributes. We also note that there has been other work that applied IBE techniques to access control, but did not address our central concern of resisting attacks from colluding users =-=[35, 13]-=-. 3. BACKGROUND We first give formal definitions for the security of KeyPolicy Attribute Based Encryption (KP-ABE). Then we give background information on bilinear maps and our cryptographic assumptio...

Citation Context

...tems are useful in different contexts. 2 In fact, we can extend our scheme to work for any access structure for which a Linear Secret Sharing Scheme exists (see full version of this paper for details =-=[21]-=-). 2. RELATED WORK Fine-grained Access Control. Fine-grained access control systems facilitate granting differential access rights to a set of users and allow flexibility in specifying the access righ...

Citation Context

...only if Y is more restrictive than X. Somewhat surprisingly, we observe that our construction with the delegation property subsumes Hierarchical Identity-Based Encryption [24, 20] and its derivatives =-=[1]-=-. 1.1 Organization We begin with a discussion of related work in Section 2. Next, we give necessary background information and our definitions of security in Section 3. We then present our first const...

Citation Context

... Furthermore, there is always a danger of “insider attacks” wherein a person having access to the server steals and leaks the information, for example, for economic gains. Some techniques (see, e.g., =-=[2]-=-) create user hierarchies and require the users to share a common secret key if they are in a common set in the hierarchy. The data is then classified according to the hierarchy and encrypted under th...

Citation Context

...ers and allow flexibility in specifying the access rights of individual users. Several techniques are known for implementing fine grained access control. Common to the existing techniques (see, e.g., =-=[26, 19, 36, 27, 23, 28]-=- and the references therein) is the fact that they employ a trusted server that stores the data in clear. Access control relies on software checks to ensure that a user can access a piece of data only...

Citation Context

...et values to the user: Dx = g qx(0) 2 · T (i) rx where i = att(x) Rx = g rx where rx is chosen uniformly at random from Zp for each node x. The set of above secret pairs is the decryption key D. (see =-=[30]-=- for details). This also improves the efficiency of the system. 4 With some minor modifications, which we omit for simplicity, we can encrypt to all sets of size ≤ n. 94Decryption (E,D) As for the ca...