Results 11  20
of
280
Practical identitybased encryption without random oracles
 of LNCS
"... Abstract. We present an Identity Based Encryption (IBE) system that is fully secure in the standard model and has several advantages over previous such systems – namely, computational efficiency, shorter public parameters, and a “tight ” security reduction, albeit to a stronger assumption that depen ..."
Abstract

Cited by 140 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present an Identity Based Encryption (IBE) system that is fully secure in the standard model and has several advantages over previous such systems – namely, computational efficiency, shorter public parameters, and a “tight ” security reduction, albeit to a stronger assumption that depends on the number of private key generation queries made by the adversary. Our assumption is a variant of Boneh et al.’s decisional Bilinear DiffieHellman Exponent assumption, which has been used to construct efficient hierarchical IBE and broadcast encryption systems. The construction is remarkably simple. It also provides recipient anonymity automatically, providing a second (and more efficient) solution to the problem of achieving anonymous IBE without random oracles. Finally, our proof of CCA2 security, which has more in common with the security proof for the CramerShoup encryption scheme than with security proofs for other IBE systems, may be of independent interest.
CiphertextPolicy AttributeBased Encryption: An Expressive, Efficient, and Provably Secure Realization
, 2008
"... We present new techniques for realizing CiphertextPolicy Attribute Encryption (CPABE) under concrete and noninteractive cryptographic assumptions. Our solutions allow any encryptor to specify access control in terms of an LSSS matrix, M, over the attributes in the system. We present three differen ..."
Abstract

Cited by 134 (9 self)
 Add to MetaCart
(Show Context)
We present new techniques for realizing CiphertextPolicy Attribute Encryption (CPABE) under concrete and noninteractive cryptographic assumptions. Our solutions allow any encryptor to specify access control in terms of an LSSS matrix, M, over the attributes in the system. We present three different constructions that allow different tradeoffs between the systems efficiency and the complexity of the assumptions used. All three constructions use a common methodology of “directly” solving the CPABE problem that enable us to get much better efficiency than prior approaches.
Attributebased encryption with nonmonotonic access structures
 In ACM CCCS
, 2007
"... We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisi ..."
Abstract

Cited by 130 (5 self)
 Add to MetaCart
(Show Context)
We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisional Bilinear DiffieHellman (BDH) assumption. Furthermore, the performance of our new scheme compares favorably with existing, lessexpressive schemes. Categories and Subject Descriptors: E.3 [Data Encryption]: Public key cryptosystems. General Terms: Security.
Lossy Trapdoor Functions and Their Applications
, 2007
"... We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of lattice problems. Using lossy TDFs, we develop a ..."
Abstract

Cited by 126 (21 self)
 Add to MetaCart
(Show Context)
We propose a new general primitive called lossy trapdoor functions (lossy TDFs), and realize it under a variety of different number theoretic assumptions, including hardness of the decisional DiffieHellman (DDH) problem and the worstcase hardness of lattice problems. Using lossy TDFs, we develop a new approach for constructing several important cryptographic primitives, including (injective) trapdoor functions, collisionresistant hash functions, oblivious transfer, and chosen ciphertextsecure cryptosystems. All of the constructions are simple, efficient, and blackbox. These results resolve some longstanding open problems in cryptography. They give the first known injective trapdoor functions based on problems not directly related to integer factorization, and provide the first known CCAsecure cryptosystem based solely on the worstcase complexity of lattice problems.
Bonsai Trees, or How to Delegate a Lattice Basis
, 2010
"... We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The ..."
Abstract

Cited by 123 (7 self)
 Add to MetaCart
We introduce a new latticebased cryptographic structure called a bonsai tree, and use it to resolve some important open problems in the area. Applications of bonsai trees include: • An efficient, stateless ‘hashandsign ’ signature scheme in the standard model (i.e., no random oracles), and • The first hierarchical identitybased encryption (HIBE) scheme (also in the standard model) that does not rely on bilinear pairings. Interestingly, the abstract properties of bonsai trees seem to have no known realization in conventional numbertheoretic cryptography. 1
Anonymous Hierarchical IdentityBased Encryption (Without Random Oracles). In: Dwork
 CRYPTO 2006. LNCS,
, 2006
"... Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with sm ..."
Abstract

Cited by 119 (10 self)
 Add to MetaCart
Abstract We present an identitybased cryptosystem that features fully anonymous ciphertexts and hierarchical key delegation. We give a proof of security in the standard model, based on the mild Decision Linear complexity assumption in bilinear groups. The system is efficient and practical, with small ciphertexts of size linear in the depth of the hierarchy. Applications include search on encrypted data, fully private communication, etc. Our results resolve two open problems pertaining to anonymous identitybased encryption, our scheme being the first to offer provable anonymity in the standard model, in addition to being the first to realize fully anonymous HIBE at all levels in the hierarchy. Introduction The cryptographic primitive of identitybased encryption allows a sender to encrypt a message for a receiver using only the receiver's identity as a public key. Recently, there has been interest in "anonymous" identitybased encryption systems, where the ciphertext does not leak the identity of the recipient. In addition to their obvious privacy benefits, anonymous IBE systems can be leveraged to construct Public key Encryption with Keyword Search (PEKS) schemes, as was first observed by Boneh et al. [10] and later formalized by Abdalla et al. Prior to this paper, the only IBE system known to be inherently anonymous was that of Boneh and Franklin Our Results We present an Anonymous IBE and HIBE scheme without random oracles, therby solving both open problems from CRYPTO'05. Our scheme is very efficient for pure IBE, and reasonably efficient for HIBE with shallow hierarchies of practical interest. We prove it secure based solely on Boneh's et al. [9] Decision Linear assumption, which is one of the mildest useful complexity assumptions in bilinear groups. At first sight, our construction bears a superficial resemblance to Boneh and Boyen's "BB 1 " HIBE scheme [5, §4] but with at least two big differences. First, we perform "linear splittings" on various portions of the ciphertext, to thwart the trialanderror identity guessing to which other schemes fell prey. This idea gives us provable anonymity, even under symmetric pairings. Second, we use multiple parallel HIBE systems and constantly rerandomize the keys between them. This is what lets us use the linear splitting trick at all levels of the hierarchy, but also poses a technical challenge in the security reduction which mist now simulate multiple interacting HIBE systems at once. Solving this problem was the crucial step that gave us a hierarchy without destroying anonymity. Building a "flat" anonymous IBE system turns out to be reasonably straightforward using our linear splitting technique to hide the recipient identity behind some randomization. Complications arise when one tries to support hierarchical key generation. In a nutshell, to prevent collusion attacks in HIBE, "parents" must independently rerandomize the private keys they give to their "children". In all known HIBE schemes, rerandomization is enabled by a number of supplemental components in the public system parameters. Why this breaks anonymity is because the same mechanism that allows private keys to be publicly rerandomized, also allows ciphertexts to be publicly tested for recipient identities. Random oracles offer no protection against this. To circumvent this obstable, we need to make the rerandomization elements nonpublic, and tie them to each individual private key. In practical terms, this means that private keys must convey extra components (although not too many). The real difficulty is that each set of rerandomization components constitutes a fullfledged HIBE in its own right, which must be simulated together with its peers in the security proof (their number grows linearly with the maximal depth). Because these systems are not independent but interact with each other, we are left with the task of simulating multiple HIBE subsystems that are globally constrained by a set of linear relations. A novelty of our proof technique is a method to endow the simulator with enough degrees of freedom to reduce a system of unknown keys to a single instance of the presumed hard problem. A notable feature of our construction is that it can be implemented using all known instantiations of the bilinear pairing (whether symmetric or asymmetric, with our without a computable or 2 invertible homomorphism, etc.). To cover all grounds, we describe both a symmetric IBE version for simplicitly, and a fully general asymmetric HIBE without homomorphisms for generality. Related Work The concept of identitybased encryption was first proposed by Shamir [26] two decades ago. However, it was not until much later that Boneh and Franklin [11] and Cocks [17] presented the first practical solutions. The BonehFranklin IBE scheme was based on groups with efficiently computable bilinear maps, while the Cocks scheme was proven secure under the quadratic residuosity problem, which relies on the hardness of factoring. The security of either scheme was only proven in the random oracle model. Canetti, Halevi, and Katz [14] suggested a weaker security notion for IBE, known as selective identity or selectiveID, relative to which they were able to build an inefficient but secure IBE scheme without using random oracles. Boneh and Boyen The notion of hierarchical identitybased encryption was first defined by Horwitz and Lynn [4]. Applications In this section we discuss various applications of our fully anonymous HIBE system. The main applications can be split into several broad categories. 3 Fully Private Communication. The first compelling application of anonymous IBE is for fully private communication. Bellare et al. [4] argue that public key encryption systems that have the "key privacy" property can be used for anonymous communication: for example, if one wishes to hide the identity of a recipient one can encrypt a ciphertext with an anonymous IBE system and post it on a public bulletin board. By the anonymity property, the ciphertext will betray neither sender nor recipient identity, and since the bulletin board is public, this method will also be resistant to traffic analysis. To compound this notion of key privacy, identitybased encryption is particularly suited for untraceable anonymous communication, since, contrarily to publickey infrastructures, the sender does not even need to query a directory for the public key of the recipient. For this reason, anonymous IBE provides a very convincing solution to the problem of secure anonymous communication, as it makes it harder to conduct traffic analysis attack on directory lookups. Search on Encrypted Data. The second main application of anonymous (H)IBE is for encrypted search. As mentioned earlier, anonymous IBE and HIBE give several application in the Publickey Encryption with Keyword Search (PEKS) domain, proposed by Boneh et al. [10], and further discussed by Abdalla et al. As the last applications we mention, forwardsecure publickey encryption Background Recall that a pairing is an efficiently computable [23], nondegenerate function, e : G ×Ĝ → G T , with the bilinearity property that e(g r ,ĝ s ) = e(g,ĝ) r s . Here, G,Ĝ, and G T are all multiplicative groups of prime order p, respectively generated by g,ĝ, and e(g,ĝ). We assume an efficient generation procedure that on input a security parameter Σ ∈ N outputs G $ ← Gen(1 Σ ) where log 2 (p) = Θ(Σ). We write Z p = Z/pZ for the set of residues modp and Z × p = Z p \ {0} for its multiplicative group. Assumptions Since bilinear groups first appeared in cryptography half a decade ago 4 Informally, we say that an assumption is mild if it is tautological in the generic group model Decision BDH: The Bilinear DH assumption was first used by Joux Decision Linear: The Linear assumption was first proposed by Boneh, Boyen, and Shacham for group signatures "Hard" means algorithmically nonsolvable with probability 1 /2 + Ω(poly(Σ) −1 ) in time O(poly(Σ)) for efficiently generated random "bilinear instances" These assumptions allow but not require the groups G andĜ to be distinct, and similarly we make no representation one way or the other regarding the existence of computable homomorphisms between G andĜ, in either direction. This is the most general formulation. It has two main benefits: (1) since it comes with fewer restrictions, it is potentially more robust and increases our confidence in the assumptions we make; and (2) it gives us the flexibility to implement the bilinear pairing on a broad variety of algebraic curves with attractive computational characteristics [2], whereas symmetric pairings tend to be confined to supersingular curves, to name this one distinction. Note that if we let G =Ĝ and g =ĝ, our assumptions regain their familiar "symmetric" forms: As a rule of thumb, the remainder of this paper may be read in the context of symmetric pairings, simply by dropping all "hats" (ˆ) in the notation. Also note that DLinear trivially implies DBDH. Models We briefly precise the security notions that are implied by the concept of Anonymous IBE or HIBE. We omit the formal definitions, which may be found in the literature Confidentiality: This is the usual security notion of semantic security for encryption. It means that no nontrivial information about the message can be feasibly gleaned from the ciphertext. Anonymity: Recipient anonymity is the property that the adversary be unable to distinguish the encryption of a chosen message for a first chosen identity from the encryption of the same message for a second chosen identity. Equivalently, the adversary must be unable to decide whether a ciphertext was encrypted for a chosen identity, or for a random identity. 5 Intuition Before we present our scheme we first explain why it is difficult to implement anonymous IBE without random oracles, as well as any form of anonymous HIBE even in the random oracle model. We also give some intuition behind our solution. Recall that in the basic BonehFranklin IBE system where H is a random oracle, r is a random exponent, and g and Q are public system parameters. A crucial observation is that the one element of the ciphertext in the bilinear group G, namely, g r , is just a random element that gives no information about the identity of the recipient. The reason why only one element in G is needed is because private keys in the BonehFranklin scheme are deterministic there will be no randomness in the private key to cancel out. Since the proof of semantic security is based on the fact that C 2 is indistinguishable from random without the private key for ID, it follows that the scheme is also anonymous since C 2 is the only part of the ciphertext on which the recipient identity has any bearing. More recently, there have been a number of IBE schemes proven secure without random oracles, such as BTE from where r is chosen by the encryptor and g, g 1 , g 3 , and e(g 1 ,ĝ 2 ) are public system parameters. Notice, there are now two elements in G, and between them there is enough redundancy to determine whether a ciphertext was intended for a given identity Id, simply by testing whether the tuple [g, g Id 1 g 3 , C 1 , C 2 ] is DiffieHellman, using the bilinear map, We see that the extra ciphertext components which are seemingly necessary in IBE schemes without random oracles, in fact contribute to leaking the identity of the intended recipient of a ciphertext. A similar argument can be made for why existing HIBE schemes are not anonymous, regardless of their lack of use of random oracles. Indeed, all known HIBE schemes, including the GentrySilverberg system in the random oracle model, rely on randomization in order to properly delegate private keys down the hierarchy in a collusionresistant manner. Because of this, we similarly have the property that the extra components needed to cancel the randomization will also provide a test for the addressee's identity. Since having randomized keys seems to be fundamental to designing (H)IBE systems without random oracles, we aim to design a system where the necessary extra information will be hidden to a computationally bounded adversary. Thus, even though we cannot prevent the ciphertext from containing information about the recipient, we can design our system such that this information cannot be easily tested from the public parameters and ciphertext alone. A Primer : Anonymous IBE We start by describing an Anonymous IBE scheme that is semantically secure against selectiveID chosen plaintext attacks. This construction will illustrate our basic technique of "splitting" the bilinear group elements into two pieces to protect against the attacks described in the previous section. In the next section we will describe our full Anonymous HIBE scheme, as well as mention how to achieve adaptiveID and chosen ciphertext security. For simplicity, and also to show that we get anonymity even when using symmetric pairings, we describe the IBE system (and the IBE system only) in the special case where G =Ĝ: Setup The setup algorithm chooses a random generator g ∈ G, random group elements g 0 , g 1 ∈ G, and random exponents ω, t 1 , t 2 , t 3 , t 4 ∈ Z p . It keeps these exponents as the master key, Msk. The corresponding system parameters are published as: Extract(Msk, Id) To issue a private key for identity Id, the key extraction authority chooses two random exponents r 1 , r 2 ∈ Z p , and computes the private key, , as: Encrypt(Pub, Id, M ) Encrypting a message Msg ∈ G T for an identity Id ∈ Z × p works as follows. The algorithm chooses random exponents s, s 1 , s 2 ∈ Z p , and creates the ciphertext as: Decrypt(Pvk Id , C) The decryption algorithm attempts to decrypt a ciphertext CT by computing: Proving Security. We prove security using a hybrid experiment. Let [C , C 0 , C 1 , C 2 , C 3 , C 4 ] denote the challenge ciphertext given to the adversary during a real attack. Additionally, let R be a random element of G T , and R , R be random elements of G. We define the following hybrid games which differ on what challenge ciphertext is given by the simulator to the adversary: We remark that the challenge ciphertext in Γ 3 leaks no information about the identity since it is composed of six random group elements, whereas in Γ 0 the challenge is well formed. We show that the transitions from Γ 0 to Γ 1 to Γ 2 to Γ 3 are all computationally indistinguishable. Lemma 1 (semantic security). Under the (t, )Decision BDH assumption, there is no adversary running in time t that distinguishes between the games Γ 0 and Γ 1 with advantage greater than . 7 Proof. The proof from this lemma essentially follows from the security of the BonehBoyen selectiveID scheme. Suppose there is an adversary that can distingiush between game Γ 0 and Γ 1 with advantage . Then we build a simulator that plays the Decison BDH game with advantage . The simulator receives a DBDH challenge [g, g z 1 , g z 2 , g z 3 , Z] where Z is either e(g, g) z 1 z 2 z 3 or a random element of G T with equal probability. The game proceeds as follows: Init: The adversary announces the identity Id * it wants to be challenged upon. Setup: The simulator chooses random exponents t 1 , t 2 , t 3 , t 4 , y ∈ Z p . It retains the generator g, and sets g 0 = (g z 1 ) −Id g y and g 1 = g z 1 . The public parameters are published as: Note that this implies that ω = z 1 z 2 . Phase 1: Suppose the adversary requests a key for identity Id = Id * . The simulator picks random exponents r 1 , r 2 ∈ Z p , and issues a private key as: This is a well formed secret key for random exponentsr 1 = r 1 − z 2 /(Id − Id * ) andr 2 = r 2 . Challenge: Upon receiving a message Msg from the adversary, the simulator chooses s 1 , s 2 ∈ Z p , and outputs the challenge ciphertext as: We can let s = z 3 and see that if Z = e(g, g) z 1 z 2 z 3 the simulator is playing game Γ 0 with the adversary, otherwise the simulator is playing game Γ 1 with the adversary. Phase 2: The simulator answers the queries in the same way as Phase 1. Guess: The simulator outputs a guess γ, which the simulator forwards as its own guess for the DBDH game. Since the simulator plays game Γ 0 if and only the given DBDH instance was well formed, the simulator's advantage in the DBDH game is exactly . Lemma 2 (anonymity, part 1). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 1 and Γ 2 with advantage greater than . Proof. Suppose the existence of an adversary A that distinguishes between the two games with advantage . Then we construct a simulator that wins the Decision Linear game as follows. The simulator takes in a DLinear instance [g, g z 1 , g z 2 , g z 1 z 3 , g z 2 z 4 , Z], where Z is either g z 3 +z 4 or random in G with equal probability. For convenience, we rewrite this as [g, g z 1 , g z 2 , g z 1 z 3 , Y, g s ] for s such that g s = Z, and consider the task of deciding whether Y = g z 2 (s−z 3 ) which is equivalent. The simulator plays the game in the following stages. Init: The adversary A gives the simulator the challenge identity Id * . Setup: The simulator first chooses random exponents α, y, t 3 , t 4 , ω. It lets g in the simulation be as in the instance, and sets v 1 = g z 2 and v 2 = g z 1 . The public key is published as: 8 If we pose t 1 = z 1 and t 2 = z 2 , we note that the public key is distributed as in the real scheme. Phase 1: To answer a private key extraction query for an identity Id = Id * , the simulator chooses random exponents r 1 , r 2 ∈ Z p , and outputs a key given by: If, instead of r 1 and r 2 , we consider this pair of uniform random exponents, then we see that the private key is well formed, since it can be rewritten as: −r 2 t 3 . Challenge: The simulator gets from the adversary a message M which it can discard, and responds with a challenge ciphertext for the identity Id * . Pose s 1 = z 3 . To proceed, the simulator picks a random exponent s 2 ∈ Z p and a random element R ∈ G T , and outputs the ciphertext as: 2 ; all parts of the challenge but C are thus well formed, and the simulator behaved as in game Γ 1 . If instead Y is independent of z 1 , z 2 , s, s 1 , s 2 , which happens when Z is random, then the simulator responded as in game Γ 2 . Phase 2: The simulator answer the query in the same way as Phase 1. Output: The adversary outputs a bit γ to guess which hybrid game the simulator has been playing. To conclude, the simulator forwards γ as its own answer in the DecisionLinear game. By the simulation setup the advantage of the simulator will be exactly that of the adversary. Lemma 3 (anonymity, part 2). Under the (t, )Decision linear assumption, no adversary that runs in time t can distinguish between the games Γ 2 and Γ 3 with advantage greater than . Proof. This argument follows almost identically to that of Lemma 2, except where the simulation is done over the parameters v 3 and v 4 in place of v 1 and v 2 . The other difference is that the g ω term that appeared in d 1 , d 2 without interfering with the simulation, does not even appear in d 3 , d 4 . 5 The Scheme : Anonymous HIBE We now describe our full Anonymous HIBE scheme without random oracles. Anonymity is provided by the splitting technique and hybrid proof introduced in the previous section. In addition, to thwart the multiple avenues for user collusion enabled by the hierarchy, the keys are rerandomized between all siblings and all children. Roughly speaking, this is done by using several parallel HIBE systems, which are recombined at random every time a new private key is issued. In the proof of security, this extra complication is handled by a "multisecret simulator", that is able to simulate multiple interacting HIBE systems under a set of constraints. This is an information theoretic proof that sits on top of the hybrid argument, which is computational. For the most part, we focus on security against selectiveidentity, chosen plaintext attacks. In Appendix A we mention how to secure the scheme against adaptiveID and CCA2 adversaries. 9 Setup(1 Σ , D) To generate the public system parameters and the corresponding master secret key, given a security parameter Σ ∈ N in unary, and the hierarchy's maximum depth D ∈ N, the setup algorithm first generates a bilinear instance 1. Select 7 + 5 D + D 2 random integers modulo p (some of them forcibly nonzero): 2. Publish G and the system parameters Pub ∈ G T × G 2 (1+D) (2+D) given by: 3. Retain the master secret key Msk ∈Ĝ 1+(3+D) (2+D) comprising the elements: Extract(Pub, Msk, Id) To extract a private key for an identity Id where L ∈ {1, . . . , D} and by convention I 0 = 1, using the master key Msk: Compute the key's decryption portion: 3. The rerandomization part: Pvk And then the delegation components: The full private key is issued as the concatenation: Pvk Id = Pvk Each row on the left can be viewed as a private key in an independent HIBE system (with generalized linear splitting as in Section 4). The main difference is that only Pvk where L ∈ {2, . . . , D} and I 0 = 1, given a private key of the parent. Let that be 2. Compute for the decryption portion: . 3. For rerandomization: Pvk . And then for delegation: The subordinate private key is the concatenation: Derive and Extract create private keys with the same structure and distribution. The derivation process in Derive merges two distinct operations: delegation and rerandomization. Rerandomization occurs first, conceptually speaking. Very simply, we take a random linear combination of all the rows of the big array on page 10. The first row is treated a bit differently: it does not intervene into any other row's rerandomization, and its own coefficient is set to 1. Delegation targets the leftmost elements of Pvk We now turn to the encryption and decryption methods. 11 Encrypt(Pub, Id, Msg) To encrypt a message encoded as a group element Msg ∈ G T for a given identity Id = [I 0 (= 1), I 1 , . . . , I L ] at level L, the encryption algorithm proceeds as follows: ∈ G T × G 5+2 D . Encryption is very cheap with a bit of caching since the exponentiations bases never change. Decrypt(Pub, Pvk Id , CT) To decrypt a ciphertext CT, using (the decryption portion of) a private key Pvk (a) , k n,(b) ] n=0,...,1+D ] , the decryption algorithm outputs: Msg ← E · e(c 0 , k 0 ) 1+D n=0 e(c n,(a) , k n,(a) ) e(c n,(b) , k n,(b) ) ∈ G T . All the pairings in the product can be computed at once using the "multipairing" trick which is similar to multiexponentiation. One can also exploit the fact that all the k ··· are fixed for a given recipient to perform advantageous precomputations The following theorems show that extracted and delegated private keys are identically distributed, and that extraction, encryption, and decryption, are consistent. Proofs are given in Appendix B. Theorem 4. Private keys calculated by Derive and Extract have the same distribution. Theorem 5. The Anonymous HIBE scheme is internally consistent. Security We state the security theorems for the AHIBE scheme. The reductions are essentially tight and hold in the standard model. Informal arguments and full proofs may be found in Appendix C. First, we show semantic security against a selectiveidentity, chosen plaintext adversary. Theorem 6 (Confidentiality). Suppose that G upholds the (τ, )Decision BDH assumption. Then, against a selectiveID adversary that makes at most q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )INDsIDCPA secure in G withτ ≈ τ and˜ = −(3 + D) q/p. The next theorem shows that the scheme is recipient anonymous under a selective identity, chosen plaintext attack. (Sender anonymity is a trivial property of unauthenticated encryption.) Theorem 7 (Anonymity). Suppose that G upholds the (τ, )Decision Linear assumption. Then, against a selectiveID adversary that makes q private key extraction queries, the HIBE scheme of Section 5 is (q,τ ,˜ )ANONsIDCPA secure in G withτ ≈ τ and˜ = − (2 + D) (7 + 3 D) q/p. Active Attacks. We mention how to secure the scheme against active adversaries in the adaptive identity (ID) and the adaptive chosen ciphertext (CCA2) attack models in Appendix A. 12 Conclusion We presented a provably anonymous IBE and HIBE scheme without random oracles, which resolves an open question from CRYPTO 2005 regarding the existence of anonymous HIBE systems. Our constructions make use of a novel "linearsplitting" technique which prevents an attacker from testing the intended recipient of ciphertexts yet allows for the use of randomized private IBE keys. In the hierarchical case, we add to this a new "multisimulation" proof device that permits multiple HIBE subsystems to concurrently rerandomize each other. Security is based solely on the Linear assumption in bilinear groups. Our basic scheme is very efficient, within a factor two of (nonanonymous) BonehBoyen, and much faster than BonehFranklin encryption. The full hierarchical scheme remains practical with its quadratic private key size, and its linear ciphertext size, encryption time, and decryption time, as functions of the depth of the hierarchy.
Multidimension range query over encrypted data
 In IEEE Symposium on Security and Privacy
, 2007
"... encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before su ..."
Abstract

Cited by 112 (5 self)
 Add to MetaCart
(Show Context)
encryption We design an encryption scheme called Multidimensional Range Query over Encrypted Data (MRQED), to address the privacy concerns related to the sharing of network audit logs and various other applications. Our scheme allows a network gateway to encrypt summaries of network flows before submitting them to an untrusted repository. When network intrusions are suspected, an authority can release a key to an auditor, allowing the auditor to decrypt flows whose attributes (e.g., source and destination addresses, port numbers, etc.) fall within specific ranges. However, the privacy of all irrelevant flows are still preserved. We formally define the security for MRQED and prove the security of our construction under the decision bilinear DiffieHellman and decision linear assumptions in certain bilinear groups. We study the practical performance of our construction in the context of network audit logs. Apart from network audit logs, our scheme also has interesting applications for financial audit logs, medical privacy, untrusted remote storage, etc. In particular, we show that MRQED implies a solution to its dual problem, which enables investors to trade stocks through a broker in a privacypreserving manner. 1
Attribute based data sharing with attribute revocation
 in Proc. of ASIACCS. ACM
"... CiphertextPolicy Attribute Based Encryption (CPABE) is a promising cryptographic primitive for finegrained access control of shared data. In CPABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertex ..."
Abstract

Cited by 103 (5 self)
 Add to MetaCart
(Show Context)
CiphertextPolicy Attribute Based Encryption (CPABE) is a promising cryptographic primitive for finegrained access control of shared data. In CPABE, each user is associated with a set of attributes and data are encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. Beside this basic property, practical applications usually have other requirements. In this paper we focus on an important issue of attribute revocation which is cumbersome for CPABE schemes. In particular, we resolve this challenging issue by considering more practical scenarios in which semitrustable online proxy servers are available. As compared to existing schemes, our proposed solution enables the authority to revoke user attributes with minimal effort. We achieve this by uniquely integrating the technique of proxy reencryption with CPABE, and enable the authority to delegate most of laborious tasks to proxy servers. Formal analysis shows that our proposed scheme is provably secure against chosen ciphertext attacks. In addition, we show that our technique can also be applicable to the KeyPolicy Attribute Based Encryption (KPABE) counterpart.
Provably secure ciphertext policy ABE. Cryptology ePrint Archive Report 2007/183
, 2007
"... In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This ..."
Abstract

Cited by 99 (1 self)
 Add to MetaCart
(Show Context)
In ciphertext policy attributebased encryption (CPABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This provides finegrained access control on shared data in many practical settings, e.g., secure database and IP multicast. In this paper, we study CPABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear DiffieHellman (DBDH) assumption. We then apply the CanettiHaleviKatz technique to obtain a chosen ciphertext (CCA) secure extension using onetime signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme—reducing both ciphertext size and encryption/decryption time while maintaining CPA security. We conclude with a discussion of practical applications of
Efficient lattice (H)IBE in the standard model
 In EUROCRYPT 2010, LNCS
, 2010
"... Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors ..."
Abstract

Cited by 98 (15 self)
 Add to MetaCart
(Show Context)
Abstract. We construct an efficient identity based encryption system based on the standard learning with errors (LWE) problem. Our security proof holds in the standard model. The key step in the construction is a family of lattices for which there are two distinct trapdoors for finding short vectors. One trapdoor enables the real system to generate short vectors in all lattices in the family. The other trapdoor enables the simulator to generate short vectors for all lattices in the family except for one. We extend this basic technique to an adaptivelysecure IBE and a Hierarchical IBE. 1