Results 1  10
of
37
New proof methods for attributebased encryption: Achieving full security through selective techniques
 in Proc. of CRYPTO
, 2012
"... We develop a new methodology for utilizing the prior techniques to prove selective security for functional encryption systems as a direct ingredient in devising proofs of full security. This deepens the relationship between the selective and full security models and provides a path for transferring ..."
Abstract

Cited by 48 (10 self)
 Add to MetaCart
We develop a new methodology for utilizing the prior techniques to prove selective security for functional encryption systems as a direct ingredient in devising proofs of full security. This deepens the relationship between the selective and full security models and provides a path for transferring the best qualities of selectively secure systems to fully secure systems. In particular, we present a CiphertextPolicy AttributeBased Encryption scheme that is proven fully secure while matching the efficiency of the state of the art selectively secure systems. 1
Witness encryption from instance independent assumptions
 In Advances in Cryptology CRYPTO
, 2014
"... Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as a means to encrypt to an instance, x, of an NP language and produce a ciphertext. In such a system, any decryptor that knows of a witness w that x is in the language can decrypt the ciphertext and learn the message. In addition to ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
Witness encryption was proposed by Garg, Gentry, Sahai, and Waters as a means to encrypt to an instance, x, of an NP language and produce a ciphertext. In such a system, any decryptor that knows of a witness w that x is in the language can decrypt the ciphertext and learn the message. In addition to proposing the concept, their work provided a candidate for a witness encryption scheme built using multilinear encodings. However, one significant limitation of the work is that the candidate had no proof of security (other than essentially assuming the scheme secure). In this work we provide a proof framework for proving witness encryption schemes secure under instance independent assumptions. At the highest level we introduce the abstraction of positional witness encryption which allows a proof reduction of a witness encryption scheme via a sequence of 2n hybrid experiments where n is the witness length of the NPstatement. Each hybrid step proceeds by looking at a single witness candidate and using the fact that it does not satisfy the NPrelation to move the proof forward. We show that this “isolation strategy” enables one to create a witness encryption system that is provably secure from assumptions that are (maximally) independent of any particular encryption instance. We demonstrate the viability of our approach by implementing this strategy using level nlinear encodings where n is the witness length. Our complexity assumption has ≈ n group elements, but does not otherwise depend on the NPinstance x. 1
Dual system encryption via predicate encodings
 In TCC
, 2014
"... Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schem ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schemes for a large class of predicates. Our framework relies onWaters ’ dual system encryption methodology (Crypto ’09), and encompass the identitybased encryption scheme of Lewko and Waters (TCC ’10), and the attributebased encryption scheme of Lewko et al. (Eurocrypt ’10). In addition, we obtain several concrete improvements over prior works. Our work offers a novel interpretation of dual system encryption as a methodology for amplifying a onetime privatekey primitive (i.e. predicate encodings) into a manytime publickey primitive (i.e. predicate encryption).
(Hierarchical) IdentityBased Encryption from Affine Message Authentication
"... We provide a generic transformation from any affine message authentication code (MAC) to an identitybased encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosenmessage attacks and, for example, the kLinear assump ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
We provide a generic transformation from any affine message authentication code (MAC) to an identitybased encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosenmessage attacks and, for example, the kLinear assumption holds, then the resulting IBE scheme is adaptively secure. Our security reduction is tightness preserving, i.e., if the MAC has a tight security reduction so has the IBE scheme. Furthermore, the transformation also extends to hierarchical identitybased encryption (HIBE). We also show how to construct affine MACs with a tight security reduction to standard assumptions. This, among other things, provides the first tightly secure HIBE in the standard model.
Shorter IBE and Signatures via Asymmetric Pairings
"... Abstract. We present efficient IdentityBased Encryption (IBE) and signature schemes under the Symmetric External DiffieHellman (SXDH) assumption in bilinear groups. In both the IBE and the signature schemes, all parameters have constant numbers of group elements, and are shorter than those of prev ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present efficient IdentityBased Encryption (IBE) and signature schemes under the Symmetric External DiffieHellman (SXDH) assumption in bilinear groups. In both the IBE and the signature schemes, all parameters have constant numbers of group elements, and are shorter than those of previous constructions based on Decisional Linear (DLIN) assumption. Our constructions use both dual system encryption (Waters, Crypto ’09) and dual pairing vector spaces (Okamoto and Takashima, Pairing ’08, Asiacrypt ’09). Specifically, we show how to adapt the recent DLINbased instantiations of Lewko (Eurocrypt ’12) to the SXDH assumption. To our knowledge, this is the first work to instantiate either dual system encryption or dual pairing vector spaces under the SXDH assumption.
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
Improved dual system ABE in primeorder groups via predicate encodings
 In Eurocrypt
, 2015
"... Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicate ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a modular framework for the design of efficient adaptively secure attributebased encryption (ABE) schemes for a large class of predicates under the standard kLin assumption in primeorder groups; this is the first uniform treatment of dual system ABE across different predicates and across both composite and primeorder groups. Via this framework, we obtain concrete efficiency improvements for several ABE schemes. Our framework has three novel components over prior works: (i) new techniques for simulating compositeorder groups in primeorder ones, (ii) a refinement of prior encodings framework for dual system ABE in compositeorder groups, (iii) an extension to weakly attributehiding predicate encryption (which includes anonymous identitybased encryption as a special case). 1
Dual form signatures: An approach for proving security from static assumptions
, 2012
"... In this paper, we introduce the abstraction of Dual Form Signatures as a useful framework for proving security (existential unforgeability) from static assumptions for schemes with special structure that are used as a basis of other cryptographic protocols and applications. We demonstrate the power ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
In this paper, we introduce the abstraction of Dual Form Signatures as a useful framework for proving security (existential unforgeability) from static assumptions for schemes with special structure that are used as a basis of other cryptographic protocols and applications. We demonstrate the power of this framework by proving security under static assumptions for close variants of preexisting schemes: • the LRSWbased CamenischLysyanskaya signature scheme • the identitybased sequential aggregate signatures of Boldyreva, Gentry, O’Neill, and Yum. The CamenischLysyanskaya signature scheme was previously proven only under the interactive LRSW assumption, and our result can be viewed as a static replacement for the LRSW assumption. The scheme of Boldyreva, Gentry, O’Neill, and Yum was also previously proven only under an interactive assumption that was shown to hold in the generic group model. The structure of the public key signature scheme underlying the BGOY aggregate signatures is quite distinctive, and our work presents the first security analysis of this kind of structure under static assumptions. We view our work as enhancing our understanding of the security of these signatures, and also as an important step towards obtaining proofs under the weakest possible assumptions. Finally, we believe our work also provides a new path for proving security of signatures with embedded structure. Examples of these include: attributebased signatures, quoteable signatures, and signing group elements.
Dual system groups and its applications — compact hibe and more. Cryptology ePrint Archive, Report 2014/265
, 2014
"... Abstract. We introduce the notion of dual system groups. – We show how to derive compact HIBE by instantiating the dual system framework in Waters (Crypto ’09) and Lewko and Waters (TCC ’10) with dual system groups. Our construction provides a unified treatment of the prior compact HIBE schemes from ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce the notion of dual system groups. – We show how to derive compact HIBE by instantiating the dual system framework in Waters (Crypto ’09) and Lewko and Waters (TCC ’10) with dual system groups. Our construction provides a unified treatment of the prior compact HIBE schemes from static assumptions. – We show how to instantiate dual system groups under the decisional subgroup assumption in compositeorder groups and the decisional linear assumption (dLIN) in primeorder groups. Along the way, we provide new tools for simulating properties of compositeorder bilinear groups in primeorder groups. In particular, we present new randomization and parameterhiding techniques in primeorder groups. Combining the two, we obtain a number of new encryption schemes, notably – a new construction of IBE in primeorder groups with shorter parameters; – a new construction of compact HIBE in primeorder groups whose structure closely mirrors the selectively secure HIBE scheme of Boneh, Boyen and Goh (Eurocrypt ’05);
Comparing the Pairing Efficiency over CompositeOrder and PrimeOrder Elliptic Curves
"... Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twopri ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We provide software implementation timings for pairings over compositeorder and primeorder elliptic curves. Composite orders must be large enough to be infeasible to factor. They are modulus of 2 up to 5 large prime numbers in the literature. There exists size recommendations for twoprime RSA modulus and we extend the results of Lenstra concerning the RSA modulus sizes to multiprime modulus, for various security levels. We then implement a Tate pairing over a composite order supersingular curve and an optimal ate pairing over a primeorder BarretoNaehrig curve, both at the 128bit security level. We use our implementation timings to deduce the total cost of the homomorphic encryption scheme of Boneh, Goh and Nissim and its translation by Freeman in the primeorder setting. We also compare the efficiency of the unbounded Hierarchical Identity Based Encryption protocol of Lewko and Waters and its translation by Lewko in the prime order setting. Our results strengthen the previously observed inefficiency of compositeorder bilinear groups and advocate the use of primeorder group whenever possible in protocol design.