#### DMCA

## Improved dual system ABE in prime-order groups via predicate encodings (2015)

Venue: | In Eurocrypt |

Citations: | 6 - 2 self |

### Citations

1742 | Identity-based encryption from the Weil pairing, in: Joe Kilian (Ed
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...itrarily complex access policy, which is in stark contrast to traditional public-key encryption, where access is all or nothing. The simplest example of ABE is that of identity-based encryption (IBE) =-=[40, 7, 17]-=- where P corresponds to equality. The security requirement for ABE enforces resilience to collusion attacks, namely any group of users holding secret keys for different values learns nothing about the... |

1127 |
Identity-based cryptosystems and signature schemes, in: G.R. Blakley, David Chaum (Eds
- Shamir
- 1985
(Show Context)
Citation Context ...itrarily complex access policy, which is in stark contrast to traditional public-key encryption, where access is all or nothing. The simplest example of ABE is that of identity-based encryption (IBE) =-=[40, 7, 17]-=- where P corresponds to equality. The security requirement for ABE enforces resilience to collusion attacks, namely any group of users holding secret keys for different values learns nothing about the... |

520 | Attribute-based encryption for fine-grained access control of encrypted data
- Goyal, Pandey, et al.
- 2006
(Show Context)
Citation Context ...rder groups, (iii) an extension to weakly attribute-hiding predicate encryption (which includes anonymous identity-based encryption as a special case). 1 Introduction Attribute-based encryption (ABE) =-=[39, 22]-=- is a new paradigm for public-key encryption that enables finegrained access control for encrypted data. In ABE, ciphertexts are associated with descriptive values x in addition to a plaintext, secret... |

375 | Fuzzy identity-based encryption
- Sahai, Waters
- 2005
(Show Context)
Citation Context ...rder groups, (iii) an extension to weakly attribute-hiding predicate encryption (which includes anonymous identity-based encryption as a special case). 1 Introduction Attribute-based encryption (ABE) =-=[39, 22]-=- is a new paradigm for public-key encryption that enables finegrained access control for encrypted data. In ABE, ciphertexts are associated with descriptive values x in addition to a plaintext, secret... |

330 | Broadcast encryption - Fiat, Naor - 1993 |

282 | An identity based encryption scheme based on quadratic residues
- Cocks
- 2001
(Show Context)
Citation Context ...itrarily complex access policy, which is in stark contrast to traditional public-key encryption, where access is all or nothing. The simplest example of ABE is that of identity-based encryption (IBE) =-=[40, 7, 17]-=- where P corresponds to equality. The security requirement for ABE enforces resilience to collusion attacks, namely any group of users holding secret keys for different values learns nothing about the... |

269 | Hierarchical identity based encryption with constant size ciphertext
- Boneh, Boyen, et al.
- 2005
(Show Context)
Citation Context ...1)2 ctid = [As, (W0+ id ·W1)>As]1, [k>As]T ·m ∈G2(k+1)1 ×GT where A,B ∈ Z(k+1)×kp ,W0,W1 ∈ Z(k+1)×(k+1)p ,s,r ∈ Zkp ,k ∈ Zk+1p . This scheme extends naturally to a nonanonymous BBG-style compact HIBE =-=[10]-=- (this is not the case for the prime-order IBE schemes in [30, 15]). 1.2 Discussion Comparison with prior works. A summary of the prior approaches for obtaining efficient adaptively secure efficient d... |

221 | Efficient selective-ID secure identity-based encryption without random oracles.
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...at kE does not depend on w. Example: equality. Fix a prime integer p. Consider the equality predicate whereX=Y=Zp and P(x, y)= 1 iff x = y . The following is a predicate encoding for equality used in =-=[6, 32]-=-: sE(x, (w1, w2)) :=w1+w2x rE(y, (w1, w2)) :=w1+w2 y kE(y,α) :=α sD(x, y,c)= c rD(x, y,k)= k When x = y , w1+w2x = w1+w2 y and we can reconstruct α. For α-privacy, we exploit the fact that (w1+ w2x, w... |

183 | Conjunctive, subset, and range queries on encrypted data
- Boneh, Waters
(Show Context)
Citation Context ...r groups in primeorder ones, (ii) a refinement of the encodings framework for dual system ABE for composite-order groups in [2, 43], (iii) an extension to weakly attribute-hiding predicate encryption =-=[28, 9]-=- (which includes anonymous IBE as a special case). The last two components answer the open problems left in [2, 43]. New techniques for simulating composite-order groups. The starting point of our con... |

173 | Predicate encryption supporting disjunctions, polynomial equations, and inner products
- Katz, Sahai, et al.
(Show Context)
Citation Context ...r groups in primeorder ones, (ii) a refinement of the encodings framework for dual system ABE for composite-order groups in [2, 43], (iii) an extension to weakly attribute-hiding predicate encryption =-=[28, 9]-=- (which includes anonymous IBE as a special case). The last two components answer the open problems left in [2, 43]. New techniques for simulating composite-order groups. The starting point of our con... |

147 | On Span Programs - Karchmer, Wigderson - 1993 |

144 | Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption - Lewko, Okamoto, et al. - 2010 |

120 | Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions
- Waters
- 2009
(Show Context)
Citation Context ...or a large class of predicates. We now have a fairly good understanding of how to obtain such schemes in composite-order bilinear groups, thanks to Waters’ powerful dual system encryption methodology =-=[42]-=- and recent unifying frameworks in [2, 43] for the design of dual system ABE schemes. However, these latter frameworks only work in composite-order bilinear groups, for which group operations and espe... |

98 | Provably secure ciphertext policy ABE,” in - Cheung, Newport - 2007 |

96 | Secure Schemes for Secret Sharing and Key Distribution,” - Beimel - 1996 |

79 | Fully secure functional encryption with general relations from the decisional linear assumption. IACR Cryptology ePrint Archive
- Okamoto, Takashima
- 2010
(Show Context)
Citation Context ...f DSG from k-Lin We present a new instantiation of dual system groups under the k-Lin assumption, inspired by the constructions in [5, 14]. Overview. The prior construction of DSG [14] (building upon =-=[35, 36, 30, 15]-=-) starts with a random B ←R GLk+1(Zp ) and defines B∗ := (B>)−1 so that B>B∗ is the identity matrix; then uses B for SampG,áSampG and B∗ for SampH,áSampH. In our construction, we may start with any pa... |

77 | New techniques for dual system encryption and fully secure hibe with short ciphertexts
- Lewko, Waters
- 2010
(Show Context)
Citation Context ...d for security. We now proceed to describe our encodings framework for ABE. Modular approach for ABE. We begin with the observation that the prior composite-order ABE schemes in [43, 2] (generalizing =-=[32, 33]-=-) may be modified so that master public key, secret key and ciphertext are of the form: mpk := (g1, g w1 , e(g1, g1)α ) sky := ( g r1 , g kE(y,α)+r ·rE(y,w) 1 ) ctx := ( g s1, g s·sE(x,w) 1 , e(g1, g1... |

56 | Converting pairing-based cryptosystems from composite order groups to primeorder groups,”
- Freeman
- 2010
(Show Context)
Citation Context ...n ease of theoretical design and practical efficiency, a series of works studied techniques for converting cryptosystems relying on composite-order groups to cryptosystems based on prime-order groups =-=[34, 35, 20, 30, 15, 14]-=-, largely in the context of dual system ABE. In addition, we have direct constructions of dual system prime-order hierarchical identity-based encryption (HIBE) schemes in [26, 5] that bypass a convers... |

44 |
Hierarchical predicate encryption for inner-products
- Okamoto, Takashima
- 2009
(Show Context)
Citation Context ...n ease of theoretical design and practical efficiency, a series of works studied techniques for converting cryptosystems relying on composite-order groups to cryptosystems based on prime-order groups =-=[34, 35, 20, 30, 15, 14]-=-, largely in the context of dual system ABE. In addition, we have direct constructions of dual system prime-order hierarchical identity-based encryption (HIBE) schemes in [26, 5] that bypass a convers... |

39 | Functional encryption for inner product Predicates from learning with errors. Cryptology
- Agrawal, Freeman, et al.
- 2011
(Show Context)
Citation Context ...re not authorized to decrypt the challenge ciphertext. To achieve this property, we require additional properties from the underlying encoding and the underlying group structure (extending ideas from =-=[36, 1, 5]-=-). We use the fact that for any vector c ∈ Zk+1p outside the span of A, the vector W>c is uniformly random given W>A, where W is a uniformly random matrix. We can then use W>c to information-theoretic... |

38 | Generalized identity based and broadcast encryption schemes, - Boneh, Hamburg - 2008 |

37 | Tools for simulating features of composite order bilinear groups in the prime order setting
- Lewko
- 2012
(Show Context)
Citation Context ...n ease of theoretical design and practical efficiency, a series of works studied techniques for converting cryptosystems relying on composite-order groups to cryptosystems based on prime-order groups =-=[34, 35, 20, 30, 15, 14]-=-, largely in the context of dual system ABE. In addition, we have direct constructions of dual system prime-order hierarchical identity-based encryption (HIBE) schemes in [26, 5] that bypass a convers... |

26 | Adaptively attribute-hiding (hierarchical) inner product encryption - Okamoto, Takashima |

25 |
Homomorphic encryption and signatures from vector decomposition
- Okamoto, Takashima
- 2008
(Show Context)
Citation Context |

19 | Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits.
- Boneh, Gentry, et al.
- 2014
(Show Context)
Citation Context ...– the first adaptively secure key-policy and ciphertext-policy ABE schemes for arithmetic formula and branching programs without an exponential security loss, improving upon previous constructions in =-=[25, 11]-=-. Along the way, we also generalize several previous constructions for k = 2 to general k with k = 1 being particularly relevant for practical efficiency. More generally, the parameters of our schemes... |

17 |
Functional encryption for inner product: achieving constant-size ciphertexts with adaptive security or support for negation
- Attrapadung, Libert
(Show Context)
Citation Context ...+ET k-Lin Fig. 5. Comparison amongst adaptively secure public-index NIPE, based on our encodings in Section A.2. We omitted schemes with weaker security guarantees, such as the co-selective NIPE from =-=[3]-=-. reference |mpk| |sk| |ct| TDec assumption attribute-hiding KSW [28] (2n+2)|GN | (2n+1)|GN | (2n+1)|GN |+ |GT | (2n+1)P composite fully OT10 [36] (3n2+8n+4)|G1|+ |GT | (3n+2)|G2| (3n+2)|G1|+ |GT | (3... |

17 | An algebraic framework for Diffie-Hellman assumptions
- Escala, Herold, et al.
(Show Context)
Citation Context ...om the k-Lin assumption. Moreover, we have an orthogonality property given by a⊥>A = b⊥>B= 0, which tells us that the normal and semi-functional components in different spaces cancel out. 1 Following =-=[18]-=-, we use the implicit representation notation for group elements, as explained in Section 4.1. 2 We can then randomize this basis by choosing W ∈ Z(k+1)×(k+1)p uniformly at random and using ([W>A]1, [... |

14 | Achieving short ciphertexts or short secret-keys for adaptively secure general inner-product encryption
- Okamoto, Takashima
- 2011
(Show Context)
Citation Context ... CNS-1445424, the Alexander von Humboldt Foundation and a Google Faculty Research Award. compact HIBE boolean formula k-Lin anonymous IBE wAH ZIPE DPVS [34, 35, 30, 15] no yes yes yes yes sparse DPVS =-=[37]-=- yes ? ? yes yes QANIZK [26] yes ? yes yes ? dual system groups [14] yes ? yes ? ? MAC-to-(H)IBE [5] yes ? yes yes ? this work yes yes yes yes yes Fig. 1. Summary of previous approaches for building e... |

13 | Dual system encryption via predicate encodings
- Wee
- 2014
(Show Context)
Citation Context ...have a fairly good understanding of how to obtain such schemes in composite-order bilinear groups, thanks to Waters’ powerful dual system encryption methodology [42] and recent unifying frameworks in =-=[2, 43]-=- for the design of dual system ABE schemes. However, these latter frameworks only work in composite-order bilinear groups, for which group operations and especially pairing computations are prohibitiv... |

12 |
Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more
- Attrapadung
- 2014
(Show Context)
Citation Context ...have a fairly good understanding of how to obtain such schemes in composite-order bilinear groups, thanks to Waters’ powerful dual system encryption methodology [42] and recent unifying frameworks in =-=[2, 43]-=- for the design of dual system ABE schemes. However, these latter frameworks only work in composite-order bilinear groups, for which group operations and especially pairing computations are prohibitiv... |

12 | almost) tightly secure IBE and dual system groups - Fully - 2013 |

11 | Building efficient fully collusion-resilient traitor tracing and revocation schemes - Garg, Kumarasubramanian, et al. - 2010 |

10 | (Hierarchical) identity-based encryption from affine message authentication.
- Blazy, Kiltz, et al.
(Show Context)
Citation Context ...oups [34, 35, 20, 30, 15, 14], largely in the context of dual system ABE. In addition, we have direct constructions of dual system prime-order hierarchical identity-based encryption (HIBE) schemes in =-=[26, 5]-=- that bypass a conversion from composite-order groups, but the techniques in these constructions do not seem to ? Shanghai Key Laboratory of Multidimensional Information Processing and Shanghai Key La... |

9 | Shorter ibe and signatures via asymmetric pairings. Pairing, 2012. To appear, also Cryptology ePrint Archive, Report 2012/224
- Chen, Lim, et al.
(Show Context)
Citation Context ...f DSG from k-Lin We present a new instantiation of dual system groups under the k-Lin assumption, inspired by the constructions in [5, 14]. Overview. The prior construction of DSG [14] (building upon =-=[35, 36, 30, 15]-=-) starts with a random B ←R GLk+1(Zp ) and defines B∗ := (B>)−1 so that B>B∗ is the identity matrix; then uses B for SampG,áSampG and B∗ for SampH,áSampH. In our construction, we may start with any pa... |

7 | Fully secure doubly-spatial encryption under simple assumptions - Chen, Zhang, et al. - 2012 |

7 | Shorter quasi-adaptive NIZK proofs for linear subspaces
- Jutla, Roy
- 2013
(Show Context)
Citation Context ...oups [34, 35, 20, 30, 15, 14], largely in the context of dual system ABE. In addition, we have direct constructions of dual system prime-order hierarchical identity-based encryption (HIBE) schemes in =-=[26, 5]-=- that bypass a conversion from composite-order groups, but the techniques in these constructions do not seem to ? Shanghai Key Laboratory of Multidimensional Information Processing and Shanghai Key La... |

6 | Spatial encryption. IACR Cryptology ePrint Archive - Hamburg - 2011 |

5 | Dual system groups and its applications — compact HIBE and more. IACR Cryptology ePrint Archive, Report 2014/265, 2014. Preliminary version in [13
- Chen, Wee
(Show Context)
Citation Context |

4 | Comparing the pairing efficiency over composite-order and prime-order elliptic curves
- Guillevic
- 2013
(Show Context)
Citation Context ...frameworks only work in composite-order bilinear groups, for which group operations and especially pairing computations are prohibitively slow. In practice, prime-order bilinear groups are preferable =-=[23]-=- as they admit not only more efficient but also more compact instantiations. To mitigate the gap between ease of theoretical design and practical efficiency, a series of works studied techniques for c... |

3 | Partial garbling schemes and their applications
- Ishai, Wee
- 2014
(Show Context)
Citation Context ...per exponentiations in the source groups. – We extend the encodings for KP-ABE and CP-ABE to arithmetic branching programs, based on the selectively secure KP-ABE for arithmetic branching programs in =-=[25]-=-(c.f. Section A.6). Combined with our generic framework, we obtain the first adaptively secure KP-ABE and CP-ABE for arithmetic branching programs. – We also present a new encoding for broadcast encry... |

3 | Expressive attribute-based encryption with constant-size ciphertexts from the decisional linear assumption
- Takashima
- 2014
(Show Context)
Citation Context ...elective security. underlying schemes; in particular, applying them to the composite-order compact HIBE schemes in [32] blows up the ciphertext size from constant to linear. The sparse DPVS technique =-=[37, 41]-=- uses subgroups of sparse matrices with mostly zero entries to overcome this limitation; however, they substantially limit the generality of the DPVS technique: the structure of these matrices now dep... |

1 | Adaptively secure broadcast encryption under standard assumptions with better efficiency. IACR Cryptology ePrint Archive - Lee, Lee - 2013 |

1 | Functional Encryption: New Proof Techniques and Advancing Capabilities - Lewko - 2012 |