Results 1  10
of
92
Identitybased Encryption with Efficient Revocation
, 2008
"... Identitybased encryption (IBE) is an exciting alternative to publickey encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI). Any setting, PKI or identitybased, must provide a means to revoke users from the system. Efficient revocation is a wellstudied problem in the trad ..."
Abstract

Cited by 87 (3 self)
 Add to MetaCart
(Show Context)
Identitybased encryption (IBE) is an exciting alternative to publickey encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI). Any setting, PKI or identitybased, must provide a means to revoke users from the system. Efficient revocation is a wellstudied problem in the traditional PKI setting. However in the setting of IBE, there has been little work on studying the revocation mechanisms. The most practical solution requires the senders to also use time periods when encrypting, and all the receivers (regardless of whether their keys have been compromised or not) to update their private keys regularly by contacting the trusted authority. We note that this solution does not scale well – as the number of users increases, the work on key updates becomes a bottleneck. We propose an IBE scheme that significantly improves keyupdate efficiency on the side of the trusted party (from linear to logarithmic in the number of users), while staying efficient for the users. Our scheme builds on the ideas of the Fuzzy IBE primitive and binary tree data structure, and is provably secure.
Formal Proofs for the Security of Signcryption
 In PKC ’02
, 2002
"... Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead. ..."
Abstract

Cited by 85 (3 self)
 Add to MetaCart
(Show Context)
Signcryption is a public key or asymmetric cryptographic method that provides simultaneously both message confidentiality and unforgeability at a lower computational and communication overhead.
REACT: Rapid Enhancedsecurity Asymmetric Cryptosystem Transform
 CTRSA 2001, volume 2020 of LNCS
, 2001
"... Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem ..."
Abstract

Cited by 85 (19 self)
 Add to MetaCart
(Show Context)
Abstract. Seven years after the optimal asymmetric encryption padding (OAEP) which makes chosenciphertext secure encryption scheme from any trapdoor oneway permutation (but whose unique application is RSA), this paper presents REACT, a new conversion which applies to any weakly secure cryptosystem, in the random oracle model: it is optimal from both the computational and the security points of view. Indeed, the overload is negligible, since it just consists of two more hashings for both encryption and decryption, and the reduction is very tight. Furthermore, advantages of REACT beyond OAEP are numerous: 1. it is more general since it applies to any partially trapdoor oneway function (a.k.a. weakly secure publickey encryption scheme) and therefore provides security relative to RSA but also to the DiffieHellman problem or the factorization; 2. it is possible to integrate symmetric encryption (block and stream ciphers) to reach very high speed rates; 3. it provides a key distribution with session key encryption, whose overall scheme achieves chosenciphertext security even with weakly secure symmetric scheme. Therefore, REACT could become a new alternative to OAEP, and even reach security relative to factorization, while allowing symmetric integration.
ChosenCiphertext Security for any OneWay Cryptosystem
 In PKC ’00, LNCS 1751
, 2000
"... Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. ..."
Abstract

Cited by 44 (10 self)
 Add to MetaCart
(Show Context)
Abstract. For two years, public key encryption has become an essential topic in cryptography, namely with security against chosenciphertext attacks. This paper presents a generic technique to make a highly secure cryptosystem from any partially trapdoor oneway function, in the random oracle model. More concretely, any suitable problem providing a oneway cryptosystem can be efficiently derived into a chosenciphertext secure encryption scheme. Indeed, the overhead only consists of two hashing and a XOR. As application, we provide the most efficient El Gamal encryption variant, therefore secure relative to the computational DiffieHellman problem. Furthermore, we present the first scheme whose security is relative to the factorization of large integers, with a perfect reduction (factorization is performed within the same time and with identical probability of success as the security break).
Improving Lattice Based Cryptosystems Using the Hermite Normal Form
 In Silverman [Sil01
"... We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is signi cant both from the theoretical and practical poin ..."
Abstract

Cited by 40 (8 self)
 Add to MetaCart
(Show Context)
We describe a simple technique that can be used to substantially reduce the key and ciphertext size of various lattice based cryptosystems and trapdoor functions of the kind proposed by Goldreich, Goldwasser and Halevi (GGH). The improvement is signi cant both from the theoretical and practical point of view, reducing the size of both key and ciphertext by a factor n equal to the dimension of the lattice (i.e., several hundreds for typical values of the security parameter.) The eciency improvement is obtained without decreasing the security of the functions: we formally prove that the new functions are at least as secure as the original ones, and possibly even better as the adversary gets less information in a strong information theoretical sense. The increased eciency of the new cryptosystems allows the use of bigger values for the security parameter, making the functions secure against the best cryptanalytic attacks, while keeping the size of the key even below the smallest key size for which lattice cryptosystems were ever conjectured to be hard to break.
Threshold Cryptosystems Secure against ChosenCiphertext Attacks
 IN PROC. OF ASIACRYPT
, 2000
"... Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the ..."
Abstract

Cited by 40 (3 self)
 Add to MetaCart
(Show Context)
Semantic security against chosenciphertext attacks (INDCCA) is widely believed as the correct security level for publickey encryption scheme. On the other hand, it is often dangerous to give to only one people the power of decryption. Therefore, threshold cryptosystems aimed at distributing the decryption ability. However, only two efficient such schemes have been proposed so far for achieving INDCCA. Both are El Gamallike schemes and thus are based on the same intractability assumption, namely the Decisional DiffieHellman problem. In this article we rehabilitate the twinencryption paradigm proposed by Naor and Yung to present generic conversions from a large family of (threshold) INDCPA scheme into a (threshold) INDCCA one in the random oracle model. An efficient instantiation is also proposed, which is based on the Paillier cryptosystem. This new construction provides the first example of threshold cryptosystem secure against chosenciphertext attacks based on the factorization problem. Moreover, this construction provides a scheme where the “homomorphic properties” of the original scheme still hold. This is rather cumbersome because homomorphic cryptosystems are known to be malleable and therefore not to be CCA secure. However, we do not build a “homomorphic cryptosystem”, but just keep the homomorphic properties.
Quantum publickey cryptosystems
 in Proc. of CRYPT0 2000
, 2000
"... Abstract. This paper presents a new paradigm of cryptography, quantum publickey cryptosystems. In quantum publickey cryptosystems, all parties including senders, receivers and adversaries are modeled as quantum (probabilistic) polytime Turing (QPT) machines and only classical channels (i.e., no q ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents a new paradigm of cryptography, quantum publickey cryptosystems. In quantum publickey cryptosystems, all parties including senders, receivers and adversaries are modeled as quantum (probabilistic) polytime Turing (QPT) machines and only classical channels (i.e., no quantum channels) are employed. A quantum trapdoor oneway function, f, plays an essential role in our system, in which a QPT machine can compute f with high probability, any QPT machine can invert f with negligible probability, and a QPT machine with trapdoor data can invert f. This paper proposes a concrete scheme for quantum publickey cryptosystems: a quantum publickey encryption scheme or quantum trapdoor oneway function. The security of our schemes is based on the computational assumption (over QPT machines) that a class of subsetsum problems is intractable against any QPT machine. Our scheme is very efficient and practical if Shor’s discrete logarithm algorithm is efficiently realized on a quantum machine.
Security Proof of SakaiKasahara's IdentityBased Encryption Scheme
 In Proceedings of Cryptography and Coding 2005, LNCS 3706
, 2005
"... Identitybased encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new I ..."
Abstract

Cited by 34 (6 self)
 Add to MetaCart
(Show Context)
Identitybased encryption (IBE) is a special asymmetric encryption method where a public encryption key can be an arbitrary identifier and the corresponding private decryption key is created by binding the identifier with a system's master secret. In 2003 Sakai and Kasahara proposed a new IBE scheme, which has the potential to improve performance.
Optimizations for NTRU
"... In this note we describe a variety of methods that may be used to increase the speed and efficiency of the NTRU public key cryptosystem. ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
In this note we describe a variety of methods that may be used to increase the speed and efficiency of the NTRU public key cryptosystem.
Hedged PublicKey Encryption: How to Protect against Bad Randomness
 IACR EPRINT
, 2012
"... Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, inste ..."
Abstract

Cited by 29 (13 self)
 Add to MetaCart
(Show Context)
Publickey encryption schemes rely for their INDCPA security on permessage fresh randomness. In practice, randomness may be of poor quality for a variety of reasons, leading to failure of the schemes. Expecting the systems to improve is unrealistic. What we show in this paper is that we can, instead, improve the cryptography to offset the lack of possible randomness. We provide publickey encryption schemes that achieve INDCPA security when the randomness they use is of high quality, but, when the latter is not the case, rather than breaking completely, they achieve a weaker but still useful notion of security that we call INDCDA. This hedged publickey encryption provides the best possible security guarantees in the face of bad randomness. We provide simple RObased ways to make inpractice INDCPA schemes hedge secure with minimal software changes. We also provide nonRO model schemes relying on lossy trapdoor functions (LTDFs) and techniques from deterministic encryption. They achieve adaptive security by establishing and exploiting the anonymity of LTDFs which we believe is of independent interest. (Preliminary version was presented at AsiaCrypt 2009)