Results 1  10
of
28
Verifiable delegation of computation over large datasets
 In Proceedings of the 31st annual conference on Advances in cryptology, CRYPTO’11
, 2011
"... We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial func ..."
Abstract

Cited by 46 (4 self)
 Add to MetaCart
(Show Context)
We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup
Unbounded HIBE and AttributeBased Encryption
"... In this work, we present HIBE and ABE schemes which are “unbounded ” in the sense that the public parameters do not impose additional limitations on the functionality of the systems. In all previous constructions of HIBE in the standard model, a maximum hierarchy depth had to be fixed at setup. In a ..."
Abstract

Cited by 42 (8 self)
 Add to MetaCart
In this work, we present HIBE and ABE schemes which are “unbounded ” in the sense that the public parameters do not impose additional limitations on the functionality of the systems. In all previous constructions of HIBE in the standard model, a maximum hierarchy depth had to be fixed at setup. In all previous constructions of ABE in the standard model, either a small universe size or a bound on the size of attribute sets had to be fixed at setup. Our constructions avoid these limitations. We use a nested dual system encryption argument to prove full security for our HIBE scheme and selective security for our ABE scheme, both in the standard model and relying on static assumptions. Our ABE scheme supports LSSS matrices as access structures and also provides delegation capabilities to users. 1
Tools for simulating features of composite order bilinear groups in the prime order setting
 In EUROCRYPT
, 2012
"... In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate co ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
(Show Context)
In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate composite order schemes for which the prior techniques of Freeman were insufficient. Our techniques are typically applicable for composite order schemes relying on the canceling property and proven secure from variants of the subgroup decision assumption, and will result in prime order schemes that are proven secure from the decisional linear assumption. As an instructive example, we obtain a translation of the LewkoWaters composite order IBE scheme. This provides a close analog of the BonehBoyen IBE scheme that is proven fully secure from the decisional linear assumption. We also provide a translation of the LewkoWaters unbounded HIBE scheme. 1
Tamper and Leakage Resilience in the SplitState Model
, 2011
"... It is notoriously difficult to create hardware that is immune from side channel and tampering attacks. A lot of recent literature, therefore, has instead considered algorithmic defenses from such attacks. In this paper, we show how to algorithmically secure any cryptographic functionality from conti ..."
Abstract

Cited by 18 (3 self)
 Add to MetaCart
It is notoriously difficult to create hardware that is immune from side channel and tampering attacks. A lot of recent literature, therefore, has instead considered algorithmic defenses from such attacks. In this paper, we show how to algorithmically secure any cryptographic functionality from continual splitstate leakage and tampering attacks. A splitstate attack on cryptographic hardware is one that targets separate parts of the hardware separately. Our construction does not require the hardware to have access to randomness. On contrast, prior work on protecting from continual combined leakage and tampering [KKS11] required true randomness for each update. Our construction is in the common reference string (CRS) model; the CRS must be hardwired into the device. We note that prior negative results show that it is impossible to algorithmically secure a cryptographic functionality against a combination of arbitrary continual leakage and tampering attacks without true randomness; therefore restricting our attention to the splitstate model is justified. Our construction is simple and modular, and relies on a new construction, in the CRS model, of nonmalleable codes with respect to splitstate tampering functions, which may be of independent interest. 1
Faust.: LeakageResilient Cryptography from the InnerProduct Extractor
 ASIACRYPT2011, LNCS 7073
, 2011
"... Abstract. We present a generic method to secure various widelyused cryptosystems against arbitrary sidechannel leakage, as long as the leakage adheres three restrictions: first, it is bounded per observation but in total can be arbitrary large. Second, memory parts leak independently, and, third, ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
Abstract. We present a generic method to secure various widelyused cryptosystems against arbitrary sidechannel leakage, as long as the leakage adheres three restrictions: first, it is bounded per observation but in total can be arbitrary large. Second, memory parts leak independently, and, third, the randomness that is used for certain operations comes from a simple (nonuniform) distribution. As a fundamental building block, we construct a scheme to store a cryptographic secret such that it remains information theoretically hidden, even given arbitrary continuous leakage from the storage. To this end, we use a randomized encoding and develop a method to securely refresh these encodings even in the presence of leakage. We then show that our encoding scheme exhibits an efficient additive homomorphism which can be used to protect important cryptographic tasks such as identification, signing and encryption. More precisely, we propose efficient implementations of the Okamoto identification scheme, and of an ElGamalbased cryptosystem with security against continuous leakage, as long as the leakage adheres the above mentioned restrictions. We prove security of the Okamoto scheme under the DL assumption and CCA2 security of our encryption scheme under the DDH assumption.
How to Leak on Key Updates
"... In the continual memory leakage model, security against attackers who can repeatedly obtain leakage is achieved by periodically updating the secret key. This is an appealing model which captures a wide class of sidechannel attacks, but all previous constructions in this model provide only a very mi ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
In the continual memory leakage model, security against attackers who can repeatedly obtain leakage is achieved by periodically updating the secret key. This is an appealing model which captures a wide class of sidechannel attacks, but all previous constructions in this model provide only a very minimal amount of leakage tolerance during secret key updates. Since key updates may happen frequently, improving security guarantees against attackers who obtain leakage during these updates is an important problem. In this work, we present the first cryptographic primitives which are secure against a superlogarithmic amount of leakage during secret key updates. We present signature and public key encryption schemes in the standard model which can tolerate a constant fraction of the secret key to be leaked between updates as well as a constant fraction of the secret key and update randomness to be leaked during updates. Our signature scheme also allows us to leak a constant fraction of the entire secret state during signing. Before this work, it was unknown how to tolerate superlogarithmic leakage during updates even in the random oracle model. We rely on subgroup decision assumptions in composite order bilinear groups. 1
Dual system encryption via predicate encodings
 In TCC
, 2014
"... Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schem ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Abstract. We introduce the notion of predicate encodings, an informationtheoretic primitive reminiscent of linear secretsharing that in addition, satisfies a novel notion of reusability. Using this notion, we obtain a unifying framework for adaptivelysecure publicindex predicate encryption schemes for a large class of predicates. Our framework relies onWaters ’ dual system encryption methodology (Crypto ’09), and encompass the identitybased encryption scheme of Lewko and Waters (TCC ’10), and the attributebased encryption scheme of Lewko et al. (Eurocrypt ’10). In addition, we obtain several concrete improvements over prior works. Our work offers a novel interpretation of dual system encryption as a methodology for amplifying a onetime privatekey primitive (i.e. predicate encodings) into a manytime publickey primitive (i.e. predicate encryption).
Déja ̀ Q: Using Dual Systems to Revisit qType Assumptions
"... After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the ass ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
After more than a decade of usage, bilinear groups have established their place in the cryptographic canon by enabling the construction of many advanced cryptographic primitives. Unfortunately, this explosion in functionality has been accompanied by an analogous growth in the complexity of the assumptions used to prove security. Many of these assumptions have been gathered under the umbrella of the “uberassumption, ” yet certain classes of these assumptions — namely, qtype assumptions — are stronger and require larger parameter sizes than their static counterparts. In this paper, we show that in certain bilinear groups, many classes of qtype assumptions are in fact implied by subgroup hiding (a wellestablished, static assumption). Our main tool in this endeavor is the dualsystem technique, as introduced by Waters in 2009. As a case study, we first show that in compositeorder groups, we can prove the security of the DodisYampolskiy PRF based solely on subgroup hiding and allow for a domain of arbitrary size (the original proof only allowed a logarithmicallysized domain). We then turn our attention to classes of qtype assumptions and show that they are implied — when instantiated in appropriate groups — solely by subgroup hiding. These classes are quite general and include assumptions such as qSDH. Concretely, our result implies that every construction relying on such assumptions for security (e.g., BonehBoyen signatures) can, when instantiated in appropriate compositeorder bilinear groups, be proved secure under subgroup hiding instead. 1
Boundedcollusion IBE from key homomorphism
 In TCC
, 2012
"... Abstract. In this work, we show how to construct IBE schemes that are secure against a bounded number of collusions, starting with underlying PKE schemes which possess linear homomorphisms over their keys. In particular, this enables us to exhibit a new (boundedcollusion) IBE construction based on ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
Abstract. In this work, we show how to construct IBE schemes that are secure against a bounded number of collusions, starting with underlying PKE schemes which possess linear homomorphisms over their keys. In particular, this enables us to exhibit a new (boundedcollusion) IBE construction based on the quadratic residuosity assumption, without any need to assume the existence of random oracles. The new IBE's public parameters are of size O(t log I) where I is the total number of identities which can be supported by the system, t is the number of collusions which the system is secure against, and is a security parameter. While the number of collusions is bounded, we note that an exponential number of total identities can be supported. More generally, we give a transformation that takes any PKE satisfying Linear Key Homomorphism, Identity Map Compatibility, and the Linear Hash Proof Property and translates it into an IBE secure against bounded collusions. We demonstrate that these properties are more general than our quadratic residuositybased scheme by showing how a simple PKE based on the DDH assumption also satises these properties. 1
On continual leakage of discrete log representations. IACR Cryptology ePrint Archive, 2012:367, 2012. informal publication
 BB04a] [BB04b] [BF01] [BF03] [Bon98] [BPR+ 08] [CDK+ 12] [CHK03] [CHKP10] [Coc01] [CS98] [DHT12] [Gen06] [Gen09] Dan Boneh and
, 2004
"... Let G be a group of prime order q, and let g1,..., gn be random elements of G. We say that a vector x = (x1,..., xn) ∈ Zn q is a discrete log representation of some some element y ∈ G (with respect to g1,..., gn) if g x1 1 · · · gxn n = y. Any element y has many discrete log representations, form ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
Let G be a group of prime order q, and let g1,..., gn be random elements of G. We say that a vector x = (x1,..., xn) ∈ Zn q is a discrete log representation of some some element y ∈ G (with respect to g1,..., gn) if g x1 1 · · · gxn n = y. Any element y has many discrete log representations, forming an affine subspace of Zn q. We show that these representations have a nice continuous leakageresilience property as follows. Assume some attacker A(g1,..., gn, y) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, A adaptively chooses polynomially many leakage functions fi: Zn q → {0, 1} L, and learns the value fi(xi), where xi is a fresh and random discrete log representation of y. A wins the game if it eventually outputs a valid discrete log representation x ∗ of y. We show that if the discrete log assumption holds in G, then no polynomially bounded A can win this game with nonnegligible probability, as long as the leakage on each representation is bounded by L ≈ (n − 2) log q = (1 − 2 n) · x.