Results 1  10
of
32
Unidirectional ChosenCiphertext Secure Proxy ReEncryption
 In PKC’08, LNCS
"... Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recentl ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy reencryption (PRE) in which a proxy can transform – without seeing the plaintext – a ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosenciphertext security for the primitive. Their system is bidirectional as the translation key allows converting ciphertexts in both directions. This paper presents the first unidirectional proxy reencryption schemes with chosenciphertext security in the standard model (i.e. without the random oracle idealization). The first system provably fits a unidirectional extension of the CanettiHohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users ’ keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as noninteractive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the CanettiHohenberger scheme, they meet a relaxed flavor of chosenciphertext security introduced by Canetti, Krawczyk and Nielsen. 1
ChosenCiphertext Secure Proxy Reencryption without Pairings
 In proc. of International Conference on Cryptology and Network Security, CANS’08
, 2008
"... Proxy reencryption (PRE), introduced by Blaze, Bleumer and Strauss, allows a semitrusted proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. Proxy reencryption has found many practical applications, such as encrypted email forwardin ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
Proxy reencryption (PRE), introduced by Blaze, Bleumer and Strauss, allows a semitrusted proxy to convert a ciphertext originally intended for Alice into an encryption of the same message intended for Bob. Proxy reencryption has found many practical applications, such as encrypted email forwarding, secure distributed file systems, and outsourced filtering of encrypted spam. In ACM CCS’07, Canetti and Hohenberger presented a bidirectional PRE scheme with chosenciphertext security, and left an important open problem to construct a chosenciphertext secure proxy reencryption scheme without pairings. In this paper, we propose a bidirectional PRE scheme with chosenciphertext security. The proposed scheme is fairly efficient due to two distinguished features: (i) it does not use the costly bilinear pairings; (ii) the computational cost and the ciphertext length decrease with reencryption.
IdentityBased (Lossy) Trapdoor Functions and Applications
, 2011
"... We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
We provide the first constructions of identitybased (injective) trapdoor functions. Furthermore, they are lossy. Constructions are given both with pairings (DLIN) and lattices (LWE). Our lossy identitybased trapdoor functions provide an automatic way to realize, in the identitybased setting, many functionalities previously known only in the publickey setting. In particular we obtain the first deterministic and efficiently searchable IBE schemes and the first hedged IBE schemes, which achieve best possible security in the face of bad randomness. Underlying our constructs is a new definition, of partial lossiness, that may be of broader interest.
Making the DiffieHellman Protocol IdentityBased
, 2010
"... This paper presents a new identity based key agreement protocol. In idbased cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
This paper presents a new identity based key agreement protocol. In idbased cryptography (introduced by Adi Shamir in [33]) each party uses its own identity as public key and receives his secret key from a master Key Generation Center, whose public parameters are publicly known. The novelty of our protocol is that it can be implemented over any cyclic group of prime order, where the DiffieHellman problem is supposed to be hard. It does not require the computation of expensive bilinear maps, or additional assumptions such as factoring or RSA. The protocol is extremely efficient, requiring only twice the amount of bandwith and computation of the unauthenticated basic DiffieHellman protocol. The design of our protocol was inspired by MQV (the most efficient authenticated DiffieHellman based protocol in the publickey model) and indeed its performance is competitive with respect to MQV (especially when one includes the transmission and verification of certificates in the MQV protocol, which are not required in an idbased scheme). Our protocol requires a single round of communication in which each party sends only 2 group elements: a very short message, especially when the protocol is implemented over elliptic curves. We provide a full proof of security in the CanettiKrawczyk security model for key exchange, including a proof that our protocol satisfies additional security properties such as forward secrecy, and resistance to reflection and keycompromise impersonation attacks.
Secure cryptographic workflow in the standarad model
 In INDOCRYPT
, 2006
"... Abstract. Following the work of AlRiyami et al. we define the notion of key encapsulation mechanism supporting cryptographic workflow (WFKEM) and prove a KEMDEM composition theorem which extends the notion of hybrid encryption to cryptographic workflow. We then generically construct a WFKEM from ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Following the work of AlRiyami et al. we define the notion of key encapsulation mechanism supporting cryptographic workflow (WFKEM) and prove a KEMDEM composition theorem which extends the notion of hybrid encryption to cryptographic workflow. We then generically construct a WFKEM from an identitybased encryption (IBE) scheme and a secret sharing scheme. Chosen ciphertext security is achieved using onetime signatures. Adding a publickey encryption scheme we are able to modify the construction to obtain escrowfreeness. We prove all our constructions secure in the standard model.
Efficient chosenciphertext secure identitybased encryption with wildcards
 CRYPTOLOGY EPRINT ARCHIVE, 2006. [BF01] DAN BONEH AND MATTHEW
, 2006
"... We propose new instantiations of chosenciphertext secure identitybased encryption schemes with wildcards (WIBE). Our schemes outperform all existing alternatives in terms of efficiency as well as security. We achieve these results by extending the hybrid encryption (KEMDEM) framework to the case ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
We propose new instantiations of chosenciphertext secure identitybased encryption schemes with wildcards (WIBE). Our schemes outperform all existing alternatives in terms of efficiency as well as security. We achieve these results by extending the hybrid encryption (KEMDEM) framework to the case of WIBE schemes. We propose and prove secure one generic construction in the random oracle model, and one direct construction in the standard model.
Parallel KeyInsulated Public Key Encryption Without Random Oracles,” In
 Eds.) Advances in Public Key Cryptography–PKC 2007. LNCS
, 2007
"... Abstract. Keyinsulated cryptography is a crucial technique for protecting private keys. To strengthen the security of keyinsulated protocols, Hanaoka, Hanaoka and Imai recently introduced the idea of parallel keyinsulated encryption (PKIE) where distinct physicallysecure devices (called helper ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Keyinsulated cryptography is a crucial technique for protecting private keys. To strengthen the security of keyinsulated protocols, Hanaoka, Hanaoka and Imai recently introduced the idea of parallel keyinsulated encryption (PKIE) where distinct physicallysecure devices (called helpers) are independently used in key updates. Their motivation was to reduce the risk of exposure for helpers by decreasing the frequency of their connections to insecure environments. Hanaoka et al. showed that it was nontrivial to achieve a PKIE scheme fitting their model and proposed a construction based on the BonehFranklin identitybased encryption (IBE) scheme. The security of their system was only analyzed in the idealized random oracle model. In this paper, we provide a fairly efficient scheme which is secure in the standard model (i.e. without random oracles). To do so, we first show the existence of a relation between PKIE and the notion of aggregate signatures (AS) suggested by Boneh et al. We then describe our random oraclefree construction using bilinear maps. Thus, our contributions are both on the concrete side, namely the first realization of parallel keyinsulated encryption without the random oracle idealization, and on the conceptual side revealing the relationships between two seemingly unrelated primitives.
Provably Secure TimedRelease Public Key Encryption
"... A timedrelease cryptosystem allows a sender to encrypt a message so that only the intended recipient can read it, and only after a specified time. We formalize the concept of a secure timedrelease publickey cryptosystem and show that, if a third party is relied upon to guarantee decryption after ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
A timedrelease cryptosystem allows a sender to encrypt a message so that only the intended recipient can read it, and only after a specified time. We formalize the concept of a secure timedrelease publickey cryptosystem and show that, if a third party is relied upon to guarantee decryption after the specified date, this concept is equivalent to identitybased encryption; this explains the observation that all known constructions use identitybased encryption to achieve timedrelease security. We then give several provablysecure constructions of timedrelease encryption: a generic scheme based on any identitybased encryption scheme, and two moreefficient schemes based on the existence of cryptographically admissible bilinear mappings. The first of these is essentially as efficient as the BonehFranklin IdentityBased encryption scheme, and is provably secure and authenticated in the random oracle model; the final scheme is not authenticated but is provably secure in the standard model (i.e., without random oracles).
Provably Secure Identitybased Threshold Key Escrow from Pairing
"... This paper proposes an identitybased threshold key escrow scheme. The scheme is secure against identitybased threshold chosenplaintext attack. It tolerates the passive adversary to access data of corrupted key escrow agency servers and the active adversary that can modify corrupted servers ’ key ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
This paper proposes an identitybased threshold key escrow scheme. The scheme is secure against identitybased threshold chosenplaintext attack. It tolerates the passive adversary to access data of corrupted key escrow agency servers and the active adversary that can modify corrupted servers ’ keys. The formal proof of security is presented in the random oracle model, assuming the Bilinear DiffieHellman problem is computationally hard. Keywords: Pairing based cryptology, Threshold key escrow, Identitybased cryptography, Chosenplaintext attack
From SelectiveID to Full Security: The Case of the InversionBased BonehBoyen IBE Scheme
"... In this note we remark that the inversionbased selectiveID secure identitybased encryption (IBE) scheme from Boneh and Boyen can be bootstrapped to fullID security using a technique by Waters. Keywords: Identitybased Encryption, fullID security. 1 ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
In this note we remark that the inversionbased selectiveID secure identitybased encryption (IBE) scheme from Boneh and Boyen can be bootstrapped to fullID security using a technique by Waters. Keywords: Identitybased Encryption, fullID security. 1