Results 1  10
of
126
Fully Secure Functional Encryption: AttributeBased Encryption and (Hierarchical) Inner Product Encryption
"... In this paper, we present two fully secure functional encryption schemes. Our first result is a fully secure attributebased encryption (ABE) scheme. Previous constructions of ABE were only proven to be selectively secure. We achieve full security by adapting the dual system encryption methodology r ..."
Abstract

Cited by 145 (21 self)
 Add to MetaCart
In this paper, we present two fully secure functional encryption schemes. Our first result is a fully secure attributebased encryption (ABE) scheme. Previous constructions of ABE were only proven to be selectively secure. We achieve full security by adapting the dual system encryption methodology recently introduced by Waters and previously leveraged to obtain fully secure IBE and HIBE systems. The primary challenge in applying dual system encryption to ABE is the richer structure of keys and ciphertexts. In an IBE or HIBE system, keys and ciphertexts are both associated with the same type of simple object: identities. In an ABE system, keys and ciphertexts are associated with more complex objects: attributes and access formulas. We use a novel informationtheoretic argument to adapt the dual system encryption methodology to the more complicated structure of ABE systems. We construct our system in composite order bilinear groups, where the order is a product of three primes. We prove the security of our system from three static assumptions. Our ABE scheme supports arbitrary monotone access formulas. Our second result is a fully secure (attributehiding) predicate encryption (PE) scheme
Decentralizing AttributeBased Encryption
"... We propose a MultiAuthority AttributeBased Encryption (ABE) system. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply act as an ABE authority by creat ..."
Abstract

Cited by 76 (9 self)
 Add to MetaCart
We propose a MultiAuthority AttributeBased Encryption (ABE) system. In our system, any party can become an authority and there is no requirement for any global coordination other than the creation of an initial set of common reference parameters. A party can simply act as an ABE authority by creating a public key and issuing private keys to different users that reflect their attributes. A user can encrypt data in terms of any boolean formula over attributes issued from any chosen set of authorities. Finally, our system does not require any central authority. In constructing our system, our largest technical hurdle is to make it collusion resistant. Prior AttributeBased Encryption systems achieved collusion resistance when the ABE system authority “tied ” together different components (representing different attributes) of a user’s private key by randomizing the key. However, in our system each component will come from a potentially different authority, where we assume no coordination between such authorities. We create new techniques to tie key components together and prevent collusion attacks between users with different global identifiers. We prove our system secure using the recent dual system encryption methodology where the security proof works by first converting the challenge ciphertext and private keys to a semifunctional form and then arguing security. We follow a recent variant of the dual system proof technique due to Lewko and Waters and build our system using bilinear groups of composite order. We prove security under similar static assumptions to the LW paper in the random oracle model. 1
Pinocchio: Nearly practical verifiable computation
 In Proceedings of the 34th IEEE Symposium on Security and Privacy, Oakland ’13
, 2013
"... Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumption ..."
Abstract

Cited by 69 (6 self)
 Add to MetaCart
(Show Context)
Abstract To instill greater confidence in computations outsourced to the cloud, clients should be able to verify the correctness of the results returned. To this end, we introduce Pinocchio, a built system for efficiently verifying general computations while relying only on cryptographic assumptions. With Pinocchio, the client creates a public evaluation key to describe her computation; this setup is proportional to evaluating the computation once. The worker then evaluates the computation on a particular input and uses the evaluation key to produce a proof of correctness. The proof is only 288 bytes, regardless of the computation performed or the size of the inputs and outputs. Anyone can use a public verification key to check the proof. Crucially, our evaluation on seven applications demonstrates that Pinocchio is efficient in practice too. Pinocchio's verification time is typically 10ms: 57 orders of magnitude less than previous work; indeed Pinocchio is the first generalpurpose system to demonstrate verification cheaper than native execution (for some apps). Pinocchio also reduces the worker's proof effort by an additional 1960×. As an additional feature, Pinocchio generalizes to zeroknowledge proofs at a negligible cost over the base protocol. Finally, to aid development, Pinocchio provides an endtoend toolchain that compiles a subset of C into programs that implement the verifiable computation protocol.
Converting PairingBased Cryptosystems from CompositeOrder Groups to PrimeOrder Groups
"... Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In p ..."
Abstract

Cited by 56 (0 self)
 Add to MetaCart
Abstract. We develop an abstract framework that encompasses the key properties of bilinear groups of composite order that are required to construct secure pairingbased cryptosystems, and we show how to use primeorder elliptic curve groups to construct bilinear groups with the same properties. In particular, we define a generalized version of the subgroup decision problem and give explicit constructions of bilinear groups in which the generalized subgroup decision assumption follows from the decision DiffieHellman assumption, the decision linear assumption, and/or related assumptions in primeorder groups. We apply our framework and our primeorder group constructions to create more efficient versions of cryptosystems that originally required compositeorder groups. Specifically, we consider the BonehGohNissim encryption scheme, the BonehSahaiWaters traitor tracing system, and the KatzSahaiWaters attributebased encryption scheme. We give a security theorem for the primeorder group instantiation of each system, using assumptions of comparable complexity to those used in the compositeorder setting. Our conversion of the last two systems to primeorder groups answers a problem posed by Groth and Sahai.
Randomizable proofs and delegatable anonymous credentials
, 2009
"... We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
We construct an efficient delegatable anonymous credentials system. Users can anonymously and unlinkably obtain credentials from any authority, delegate their credentials to other users, and prove possession of a credential L levels away from a given authority. The size of the proof (and time to compute it) is O(Lk), where k is the security parameter. The only other construction of delegatable anonymous credentials (Chase and Lysyanskaya, Crypto 2006) relies on general noninteractive proofs for NPcomplete languages of size kΩ(2L). We revise the entire approach to constructing anonymous credentials and identify randomizable zeroknowledge proof of knowledge systems as the key building block. We formally define the notion of randomizable noninteractive zeroknowledge proofs, and give the first instance of controlled rerandomization of noninteractive zeroknowledge proofs by a thirdparty. Our construction uses GrothSahai proofs (Eurocrypt 2008).
Fully LeakageResilient Signatures
, 2010
"... A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throu ..."
Abstract

Cited by 23 (3 self)
 Add to MetaCart
A signature scheme is fully leakage resilient (Katz and Vaikuntanathan, ASIACRYPT ’09) if it is existentially unforgeable under an adaptive chosenmessage attack even in a setting where an adversary may obtain bounded (yet arbitrary) leakage information on all intermediate values that are used throughout the lifetime of the system. This is a strong and meaningful notion of security that captures a wide range of sidechannel attacks. One of the main challenges in constructing fully leakageresilient signature schemes is dealing with leakage that may depend on the random bits used by the signing algorithm, and constructions of such schemes are known only in the randomoracle model. Moreover, even in the randomoracle model, known schemes are only resilient to leakage of less than half the length of their signing key. In this paper we construct the first fully leakageresilient signature schemes without random oracles. We present a scheme that is resilient to any leakage of length (1 − o(1))L bits, where L is the length of the signing key. Our approach relies on generic cryptographic primitives, and at the same time admits rather efficient instantiations based on specific numbertheoretic
Optimal StructurePreserving Signatures in Asymmetric Bilinear Groups
"... Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist n ..."
Abstract

Cited by 20 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Structurepreserving signatures are signatures defined over bilinear groups that rely on generic group operations. In particular, the messages and signatures consist of group elements and the verification of signatures consists of evaluating pairing product equations. Due to their purist nature structurepreserving signatures blend well with other pairingbased protocols. We show that structurepreserving signatures must consist of at least 3 group elements when the signer uses generic group operations. Usually, the generic group model is used to rule out classes of attacks by an adversary trying to break a cryptographic assumption. In contrast, here we use the generic group model to prove a lower bound on the complexity of digital signature schemes. We also give constructions of structurepreserving signatures that consist of 3 group elements only. This improves significantly on previous structurepreserving signatures that used 7 group elements and matches our lower bound. Our structurepreserving signatures have additional nice properties such as strong existential unforgeability and can sign multiple group elements at once. Keywords: StructurePreservation, Digital Signatures, Generic Group Model. 1
Group Encryption: NonInteractive Realization in the Standard Model
"... Abstract. Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
Abstract. Group encryption (GE) schemes, introduced at Asiacrypt’07, are an encryption analogue of group signatures with a number of interesting applications. They allow a sender to encrypt a message (in the CCA2 security sense) for some member of a PKI group concealing that member’s identity (in a CCA2 security sense, as well); the sender is able to convince a verifier that, among other things, the ciphertext is valid and some anonymous certified group member will be able to decrypt the message. As in group signatures, an opening authority has the power of pinning down the receiver’s identity. The initial GE construction uses interactive proofs as part of the design (which can be made noninteractive using the random oracle model) and the design of a fully noninteractive group encryption system is still an open problem. In this paper, we give the first GE scheme, which is a pure encryption scheme in the standard model, i.e., a scheme where the ciphertext is a single message and proofs are noninteractive (and do not employ the random oracle heuristic). As a building block, we use a new public key certification scheme which incurs the smallest amount of interaction, as well.
Making a Nymbler Nymble using VERBS
, 2010
"... In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the non ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
(Show Context)
In this work, we propose a new platform to enable service providers, such as web site operators, on the Internet to block past abusive users of anonymizing networks (for example, Tor) from further misbehaviour, without compromising their privacy, and while preserving the privacy of all of the nonabusive users. Our system provides a privacypreserving analog of IP address banning, and is modeled after the wellknown Nymble system [29,47,48]. However, while we solve the same problem as the original Nymble scheme, we eliminate the troubling situation in which users must trust their anonymity in the hands of a small number of trusted third parties. Unlike other approaches that have been considered in the literature [10,44,45,46], we avoid the use of trusted hardware devices or unrealistic assumptions about offline credential issuing authorities who are responsible for ensuring that no user is able to obtain multiple credentials. Thus, our scheme combines the strong privacy guarantees of [10,44,45,46] with a simple infrastructure as in [29,47,48]. To prevent malicious third parties from trivially colluding to reveal the identities of anonymous users we make use of a number of standard zeroknowledge proofs, and to maintain efficiency we introduce a new cryptographic technique which we call verifier efficient restricted blind signatures, or VERBS. Our approach allows users to perform all privacysensitive computations locally, and then prove in zeroknowledge that the computations were performed correctly in order to obtain efficiently verifiable signatures on the output — all without revealing neither the result of the computation, nor any potentially identifying information, to the signature issuing authority. Signature verification in our proposed VERBS scheme is 1–2 orders of magnitude more efficient than verification in any known restricted blind signature scheme.