Results 1  10
of
15
Efficient Selective Identitybased Encryption
 In Proc. of CRYPTO '88, LNCS 403
, 1990
"... We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
(Show Context)
We construct two efficient IdentityBased Encryption (IBE) systems that admit selectiveidentity security reductions without random oracles in groups equipped with a bilinear map. Selectiveidentity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in an adaptiveidentity attack the adversary is allowed to choose this identity adaptively. Our first system—BB1—is based on the well studied decisional bilinear DiffieHellman assumption, and extends naturally to systems with hierarchical identities, or HIBE. Our second system—BB2—is based on a stronger assumption which we call the Bilinear DiffieHellman Inversion assumption and provides another approach to building IBE systems. Our first system, BB1, is very versatile and well suited for practical applications: the basic hierarchical construction can be efficiently secured against chosenciphertext attacks, and further extended to support efficient noninteractive threshold decryption, among others, all without using random oracles. Both systems, BB1 and BB2, can be modified generically to provide “full ” IBE security (i.e., against adaptiveidentity attacks), either using random oracles, or in the standard model at the expense of a nonpolynomial but easytocompensate security reduction.
Expressive keypolicy attributebased encryption with constantsize ciphertexts
 in Proceedings of 14th International Conference on Practice and Theory in Public Key Cryptography (PKC 2011
, 2011
"... Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that s ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exceptions only support restricted forms of threshold access policies. This paper proposes the first keypolicy attributebased encryption (KPABE) schemes allowing for nonmonotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size. Towards achieving this goal, we first show that a certain class of identitybased broadcast encryption schemes generically yields monotonic KPABE systems in the selective set model. We then describe a new efficient identitybased revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the first truly expressive KPABE realization with constantsize ciphertexts. The downside of these new constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KPABE schemes.
A tapestry of identitybased encryption: practical frameworks compared
 INT. J. APPLIED CRYPTOGRAPHY
, 2008
"... This paper surveys the practical benefits and drawbacks of several identitybased encryption schemes based on bilinear pairings. After providing some background on identitybased cryptography, we classify the known constructions into a handful of general approaches. We then describe efficient and ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
This paper surveys the practical benefits and drawbacks of several identitybased encryption schemes based on bilinear pairings. After providing some background on identitybased cryptography, we classify the known constructions into a handful of general approaches. We then describe efficient and fullysecure IBE and IBKEM instantiations of each approach, with reducibility to practice as the main design parameter. Finally, we catalogue the strengths and weaknesses of each construction according to a few theoretical and many applied comparison criteria.
A Distributed Privatekey Generator for IdentityBased Cryptography
 Centre for
"... Identitybased cryptography can greatly reduce the complexity of sending encrypted messages over the Internet. However, it necessarily requires a privatekey generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communications. Although a distrib ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
(Show Context)
Identitybased cryptography can greatly reduce the complexity of sending encrypted messages over the Internet. However, it necessarily requires a privatekey generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communications. Although a distributed privatekey generator has been suggested as a way to mitigate this problem, to date there have been no practical implementations provided for one. This paper presents the first realistic architecture and an implementation for a distributed privatekey generator for use over the Internet. We improve the adversary model in the proactive verifiable secret sharing scheme by Herzberg et al. and define masterkey modification and secret share recovery protocols in our new model. Our periodic masterkey modification achieves forward secrecy of the master key; this feature has been missing in other proactive security schemes, but is of great importance in identitybased applications. Recognizing the utility of modifying the set of nodes and the security threshold in a distributed PKG, we present protocols for these operations. We also compare our architecture to other verifiable secret sharing architectures for the Internet and demonstrate that ours has both better message efficiency as well as a more complete feature set. Finally, with a geographically distributed installation of our application, we verify its efficiency and practicality.
AttributeBased Encryption Schemes with ConstantSize Ciphertexts
 in "Theoretical Computer Science
"... Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor (the dual ciphertextpolicy scenario proceeds the other way around), the primitive enables senders to encrypt messages under a set of attri ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
Abstract. Attributebased encryption (ABE), as introduced by Sahai and Waters, allows for finegrained access control on encrypted data. In its keypolicy flavor (the dual ciphertextpolicy scenario proceeds the other way around), the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exception only supports restricted forms of access policies. This paper proposes the first attributebased encryption (ABE) schemes allowing for truly expressive access structures and with constant ciphertext size. Our first result is a ciphertextpolicy attributebased encryption (CPABE) scheme with O(1)size ciphertexts for threshold access policies andwhereprivatekeysremainasshortasinprevioussystems.Asasecondresult,weshowthatacertain class of identitybased broadcast encryption schemes generically yields monotonic keypolicy attributebased encryption (KPABE) systems in the selective set model. Our final contribution is a KPABE realization supporting nonmonotonic access structures (i.e., that may contain negated attributes) with short ciphertexts. As an intermediate step towards this result, we describe a new efficient identitybased revocation mechanism that, when combined with a particular instantiation of our general monotonic
IdentityBased Online/Offline Key Encapsulation and Encryption
"... Abstract. An identitybased online/offline encryption (IBOOE) scheme splits the encryption process into two phases. The first phase performs most of the heavy computations, such as modular exponentiation or pairing over points on elliptic curve. The knowledge of the plaintext or the receiver’s ident ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. An identitybased online/offline encryption (IBOOE) scheme splits the encryption process into two phases. The first phase performs most of the heavy computations, such as modular exponentiation or pairing over points on elliptic curve. The knowledge of the plaintext or the receiver’s identity is not required until the second phase, where the ciphertext is produced by only light computations, such as integer addition/multiplication or hashing. This division of computations makes encryption affordable by devices with limited computation power since the preparation works can be executed “offline ” or possibly by some powerful devices. Since efficiency is the main concern, smaller ciphertext size and less burden in the computation requirements of all phases (i.e., both phases of encryption and the decryption phase) are desirable. In this paper, we proposed new schemes with improved efficiency over previous schemes by assuming random oracles. Our first construction is a very efficient scheme which is secure against chosenplaintext attack (CPA), This scheme is slightly modified from an existing scheme. In particular, the setup and the user private key remain the same. We then proceed to propose the notion of IDbased Online/Offline KEM (IBOOKEM) that allows the key encapsulation process to be split into offline and online stages, in the same way as IBOOE does. We also present a generic transformation to get security against chosenciphertext attack (CCA) for IBOOE from any IBOOKEM scheme with onewayness only. Our schemes (both CPA and CCA) are the most efficient one in the stateoftheart, in terms of online computation and ciphertext size, which are the two main focuses of online/offline schemes. Our schemes are very suitable to be deployed on embedded devices such as smartcard or wireless sensor which have very limited computation powers and the communication bandwidth is very expensive. 1
Asynchronous Distributed PrivateKey Generators for IdentityBased Cryptography
"... An identitybased encryption (IBE) scheme can greatly reduce the complexity of sending encrypted messages over the Internet. However, an IBE scheme necessarily requires a privatekey generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communica ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
An identitybased encryption (IBE) scheme can greatly reduce the complexity of sending encrypted messages over the Internet. However, an IBE scheme necessarily requires a privatekey generator (PKG), which can create private keys for clients, and so can passively eavesdrop on all encrypted communications. Although a distributed PKG has been suggested as a way to mitigate this problem for Boneh and Franklin’s IBE scheme, the security of this distributed protocol has not been proven and the proposed solution does not work over the asynchronous Internet. Further, a distributed PKG has not been considered for any other IBE scheme. In this paper, we design distributed PKG setup and private key extraction protocols in an asynchronous communication model for three important IBE schemes; namely, Boneh and Franklin’s IBE, Sakai and Kasahara’s IBE, and Boneh and Boyen’s BB1IBE. We give special attention to the applicability of our protocols to all possible types of bilinear pairings and prove their INDIDCCA security in the random oracle model. Finally, we also perform a comparative analysis of these protocols and present recommendations for their use. 1
Full Security: Fuzzy Identity Based Encryption
"... Abstract. At EUROCRYPT 2005, Sahai and Waters presented the Fuzzy Identity Based Encryption (FuzzyIBE) which could be used for biometrics and attributebased encryption in the selectiveidentity model. When a secure FuzzyIBE scheme in the selectiveidentity model is transformed to full identity mo ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At EUROCRYPT 2005, Sahai and Waters presented the Fuzzy Identity Based Encryption (FuzzyIBE) which could be used for biometrics and attributebased encryption in the selectiveidentity model. When a secure FuzzyIBE scheme in the selectiveidentity model is transformed to full identity model it exist an exponential loss of security. In this paper, we use the CPA secure Gentry's IBE (exponent inversion IBE) to construct the first Fuzzy IBE that is fully secure without random oracles. In addition, the same technique is used to the modification of CCA secure Gentry's IBE which introduced by Kiltz and Vahlis to get the CCA secure Fuzzy IBE in the fullidentity model.
Efficient and Dynamic Key Management for Multiple Identities in Identitybased Systems
"... The traditional identitybased cryptography requires a user who holds multiple identities to keep multiple private keys, where each private key is associated with an identity. Managing multiple private/public keys is a heavy burden for a user in terms of key management and storage. The recent advan ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
The traditional identitybased cryptography requires a user who holds multiple identities to keep multiple private keys, where each private key is associated with an identity. Managing multiple private/public keys is a heavy burden for a user in terms of key management and storage. The recent advances of identitybased cryptography allow a single private key to map multiple public keys (identities), which simplifies the private key management. Unfortunately, the existing schemes do not allow dynamic changes of identities and have a large data size proportional to the number of the associated identities. To overcome these problems, in this paper, we present an efficient and dynamic identitybased key exchange protocol and prove its security under the Bilinear DiffieHellman assumption in the random oracle model. Our protocol requires a relatively small bandwidth for a key agreement communication, in comparison with other existing schemes.
Simplified Proof and Improved Concrete Security for Waters ’ IBE Scheme
, 2009
"... Waters ’ variant of the BonehBoyen IBE scheme is attractive because of its efficency, applications, and security attributes, but suffers from a relatively complex proof with poor concrete security. This is due in part to the proof’s “artificial abort ” step, which has then been inherited by numerou ..."
Abstract
 Add to MetaCart
Waters ’ variant of the BonehBoyen IBE scheme is attractive because of its efficency, applications, and security attributes, but suffers from a relatively complex proof with poor concrete security. This is due in part to the proof’s “artificial abort ” step, which has then been inherited by numerous derivative works. It has often been asked whether this step is necessary. We show that it is not, providing a new proof that eliminates this step. The new proof is not only simpler than the original one but offers better concrete security for important ranges of the parameters.