#### DMCA

## Bounded-collusion IBE from key homomorphism (2012)

Venue: | In TCC |

Citations: | 5 - 0 self |

### Citations

1742 | Identity-based encryption from the Weil pairing, in: Joe Kilian (Ed
- Boneh, Franklin
- 2001
(Show Context)
Citation Context ...some relevant highlights in the history of IBEs. The Identity-Based Encryption model was conceived by Shamir in the early 1980s [30]. Thesrst constructions were proposed in 2001 by Boneh and Franklin =-=[6]-=- based on the hardness of the bilinear Die-Hellman problem and by Cocks [13] based on the hardness of the quadratic residuosity problem. Both works relied on the random oracle model. Whereas the quad... |

1379 |
S: Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...ess of the quadratic residuosity problem. Both works relied on the random oracle model. Whereas the quadratic residuosity problem has been used in the context of cryptography since the early eighties =-=[22]-=-, computational problems employing bilinear pairings were at the time of [6] relative newcomers to theseld. Indeed, inspired by their extensive usage within the context of IBEs, the richness of biline... |

1127 |
Identity-based cryptosystem and signature scheme,” Advances in Cryptology:
- Shamir
- 1985
(Show Context)
Citation Context ...r results in the context of the known literature, let us quickly review some relevant highlights in the history of IBEs. The Identity-Based Encryption model was conceived by Shamir in the early 1980s =-=[30]-=-. Thesrst constructions were proposed in 2001 by Boneh and Franklin [6] based on the hardness of the bilinear Die-Hellman problem and by Cocks [13] based on the hardness of the quadratic residuosity ... |

282 | An identity based encryption scheme based on quadratic residues
- Cocks
- 2001
(Show Context)
Citation Context ...on model was conceived by Shamir in the early 1980s [30]. Thesrst constructions were proposed in 2001 by Boneh and Franklin [6] based on the hardness of the bilinear Die-Hellman problem and by Cocks =-=[13]-=- based on the hardness of the quadratic residuosity problem. Both works relied on the random oracle model. Whereas the quadratic residuosity problem has been used in the context of cryptography since ... |

251 | A forward-secure public-key encryption scheme
- Canetti, Halevi, et al.
- 2003
(Show Context)
Citation Context ...rst, partial success for IBE based on bilinear group assumptions was achieved by producing IBEs in the standard model provably satisfying a more relaxed security condition known as selective security =-=[11, 4]-=-, whereas the most desirable of security guarantees is that any polynomial-time attacker who can request secret keys for identities of its choice cannot launch a successful chosen-ciphertext attack (C... |

250 | Revocation and tracing schemes for stateless receivers
- Naor, Naor, et al.
- 2001
(Show Context)
Citation Context ...]. This work and several follow up works employed combinatorial techniques [31{33, 18, 25, 19]. Another combinatorial approach, the subset cover framework, was introduced by Naor, Naor, and Lopspeich =-=[27]-=- to build a revocation scheme. In this framework, users are associated with subsets of keys. The trusted system designer can then broadcast an encrypted message by selecting a family of subsets which ... |

188 | V.: Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption
- Cramer, Shoup
- 2002
(Show Context)
Citation Context ...esent, this public key is computed as pka1 pkb2. We note that many existing cryptosystems have this property, or can be made to have this property with trivial modications, including [8], [9], and =-=[14]-=-. The trusted master authority in an IBE will then choose n pairs of (pki; ski) (i = 1; :::; n) using the key generation algorithm of , publish the n pki values, and keep secret the corresponding n s... |

141 | Secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...acle model. Ultimately, fully (unrelaxed) secure IBEs were constructed in the standard model (without assuming random oracles) under the decisional Bilinear Die-Hellman assumption by Boneh and Boyen =-=[5]-=- and Waters [34], and most recently under the LWE assumption by Cash, Hofheinz, Kiltz, and Peikert [12] and Agrawal, Boneh, and Boyen [1]. Constructing a fully secure (or even selectively secure) IBE ... |

140 | Practical identity-based encryption without random oracles
- Gentry
(Show Context)
Citation Context ...lie within a speciedsnite range. 1.2 Other Related Work In addition to those referenced above, constructions of IBE schemes in the standard model in the bilinear setting were also provided by Gentry =-=[20]-=- under the q-ABHDE assumption, and by Waters [35] under the bilinear Die-Hellman and decisional linear assumptions. Another construction based on quadratic residuosity in the random oracle model was ... |

123 | Bonsai trees, or how to delegate a lattice basis
- Cash, Hofheinz, et al.
- 2010
(Show Context)
Citation Context ...assuming random oracles) under the decisional Bilinear Die-Hellman assumption by Boneh and Boyen [5] and Waters [34], and most recently under the LWE assumption by Cash, Hofheinz, Kiltz, and Peikert =-=[12]-=- and Agrawal, Boneh, and Boyen [1]. Constructing a fully secure (or even selectively secure) IBE without resorting to the random oracle model based on classical number theoretic assumptions such as DD... |

120 | Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions
- Waters
- 2009
(Show Context)
Citation Context ...ed Work In addition to those referenced above, constructions of IBE schemes in the standard model in the bilinear setting were also provided by Gentry [20] under the q-ABHDE assumption, and by Waters =-=[35]-=- under the bilinear Die-Hellman and decisional linear assumptions. Another construction based on quadratic residuosity in the random oracle model was provided by Boneh, Gentry, and Hamburg [7]. Leaka... |

113 | The LSD Broadcast Encryption Scheme,”
- Halevy, Shamir
- 2002
(Show Context)
Citation Context ...ast an encrypted message by selecting a family of subsets which covers all the desired recipients and none of the undesired ones. An improvement to the NNL scheme was later given by Halevy and Shamir =-=[24]-=-, and these techniques were then extended to the public key setting by Dodis and Fazio [15]. 2 Preliminaries 2.1 IND-CPA Security for Bounded-Collusion IBE We dene IND-CPA security for bounded-collus... |

98 | Efficient lattice (h)ibe in the standard model
- Agrawal, Boneh, et al.
- 2010
(Show Context)
Citation Context ...decisional Bilinear Die-Hellman assumption by Boneh and Boyen [5] and Waters [34], and most recently under the LWE assumption by Cash, Hofheinz, Kiltz, and Peikert [12] and Agrawal, Boneh, and Boyen =-=[1]-=-. Constructing a fully secure (or even selectively secure) IBE without resorting to the random oracle model based on classical number theoretic assumptions such as DDH in non-bilinear groups or the ha... |

94 |
Vaikuntanathan V.: Trapdoors for hard lattices and new cryptographic constructions
- Gentry, Peikert
- 2008
(Show Context)
Citation Context ...ch a successful chosen-ciphertext attack (CCA) against a new adaptively-chosen challenge identity. Enlarging the arsenal of computational complexity bases for IBE, Gentry, Peikert, and Vaikuntanathan =-=[21]-=- proposed an IBE based on the intractability of the learning with errors (LWE) problem, still in the random oracle model. Ultimately, fully (unrelaxed) secure IBEs were constructed in the standard mod... |

91 | Key-Insulated Public Key Cryptosystems
- Dodis, Katz, et al.
- 2002
(Show Context)
Citation Context ...oretic assumptions such as DDH in non-bilinear groups or the hardness of quadratic residuosity assumptions remains open. A dierent relaxation of IBE comes up in the work of Dodis, Katz, Xu, and Yung =-=[16]-=- in the context of their study of the problem of a bounded number of secret key exposures in public-key encryption. To remedy the latter problem, they introduced the notion of key-insulated PKE system... |

88 | G.: Public-key cryptosystems resilient to key leakage
- Naor, Segev
- 2009
(Show Context)
Citation Context ...ems, which weresrst introduced by Cramer and Shoup as a paradigm for proving CCA security of PKE schemes [14]. Hash proof systems have recently been used in the context of leakage-resilience as well (=-=[28]-=-, for example), extending to the identity-based setting in [2]. We note that the primitive of identity-based hash proof systems introduced in [2] takes a dierent direction than our work, and the inst... |

83 |
Résolution d’une question relative aux déterminant
- Hadamard
(Show Context)
Citation Context ...et(AAT). We note that AAT is a t t matrix with integral entries between 0 and n. Dividing each row by n, we obtain a matrix with rational entries between 0 and 1, and can then apply Hadamard's bound =-=[23]-=- to conclude that the determinant of this rational matrix has absolute value at most t t 2 . Thus, the determinant of AAT has absolute value at most ntt t 2 . Applying Theorem 2 in [3], the lemma foll... |

76 | Combinatorial properties and constructions of traceability schemes and frameproof codes - Stinson, Wei - 1998 |

72 | Circular-secure encryption from decision diffie-hellman
- Boneh, Halevi, et al.
- 2008
(Show Context)
Citation Context ...erlying secret keys. These were constructed for the purpose of showing circular security and leakage resilience properties. In particular, for both the scheme of Boneh, Halevi, Hamburg, and Ostrovski =-=[8]-=- and the scheme of Brakerski and Goldwasser [9], it can be shown that starting with two valid (public-key, secret-key) pairs (pk1; sk1); (pk2; sk2), one can obtain a third valid pair as (pk1 pk2; sk... |

64 | Ecient selective-id secure identity based encryption without random oracles
- Boneh, Boyen
- 2004
(Show Context)
Citation Context ...rst, partial success for IBE based on bilinear group assumptions was achieved by producing IBEs in the standard model provably satisfying a more relaxed security condition known as selective security =-=[11, 4]-=-, whereas the most desirable of security guarantees is that any polynomial-time attacker who can request secret keys for identities of its choice cannot launch a successful chosen-ciphertext attack (C... |

62 | On some methods for unconditionally secure key distribution and broadcast encryption, Design, Codes and Cryptography 12 - Stinson - 1997 |

58 |
Fiat and Moni Naor. Broadcast encryption
- Amos
(Show Context)
Citation Context ...tion to bounded collusion resistance has also been well-studied in the context of broadcast encryption and revocation schemes, dating back to the introduction of broadcast encryption by Fiat and Naor =-=[17]-=-. This work and several follow up works employed combinatorial techniques [31{33, 18, 25, 19]. Another combinatorial approach, the subset cover framework, was introduced by Naor, Naor, and Lopspeich [... |

55 | Long-lived broadcast encryption - Garay, Staddon, et al. - 2000 |

52 | Space-efficient identity based encryption without pairings
- Boneh, Gentry, et al.
- 2007
(Show Context)
Citation Context ...aters [35] under the bilinear Die-Hellman and decisional linear assumptions. Another construction based on quadratic residuosity in the random oracle model was provided by Boneh, Gentry, and Hamburg =-=[7]-=-. Leakage-resilient IBE schemes in various models have also been constructed, for example by Alwen, Dodis, Naor, Segev, Walsh, and Wichs [2], by Brakerski, Kalai, Katz, and Vaikuntanathan [10], and b... |

51 |
Overcoming the hole in the bucket: Public-key cryptography resilient to continual memory leakage
- Brakerski, Kalai, et al.
- 2010
(Show Context)
Citation Context ...Hamburg [7]. Leakage-resilient IBE schemes in various models have also been constructed, for example by Alwen, Dodis, Naor, Segev, Walsh, and Wichs [2], by Brakerski, Kalai, Katz, and Vaikuntanathan =-=[10]-=-, and by Lewko, Rouselakis, and Waters [26]. The property we require for our PKE schemes in addition to key homomorphism is a variant of the structure of hash proof systems, which weresrst introduced ... |

46 |
On Siegel’s lemma,
- Bombieri, Vaaler
- 1983
(Show Context)
Citation Context ...ver Q with entries in f0; 1g. Then there exists a basis for the kernel of A consisting of vectors with integral entries all bounded by n t 2 t t 4 . Proof. This is an easy consequence of Theorem 2 in =-=[3]-=-, which implies the existence of a basis with entries all bounded in absolute value by p det(AAT). We note that AAT is a t t matrix with integral entries between 0 and n. Dividing each row by n, we o... |

39 | Efficient methods for integrating traceability and broadcast encryption - Gafni, Staddon, et al. - 1999 |

33 | Circular and leakage resilient public-key encryption under subgroup indistinguishability - (or: Quadratic residuosity strikes back
- Brakerski, Goldwasser
- 2010
(Show Context)
Citation Context ... the purpose of showing circular security and leakage resilience properties. In particular, for both the scheme of Boneh, Halevi, Hamburg, and Ostrovski [8] and the scheme of Brakerski and Goldwasser =-=[9]-=-, it can be shown that starting with two valid (public-key, secret-key) pairs (pk1; sk1); (pk2; sk2), one can obtain a third valid pair as (pk1 pk2; sk1 + sk2). We dene properties of a PKE scheme a... |

27 | Achieving leakage resilience through dual system encryption
- Lewko, Rouselakis, et al.
- 2011
(Show Context)
Citation Context ...in various models have also been constructed, for example by Alwen, Dodis, Naor, Segev, Walsh, and Wichs [2], by Brakerski, Kalai, Katz, and Vaikuntanathan [10], and by Lewko, Rouselakis, and Waters =-=[26]-=-. The property we require for our PKE schemes in addition to key homomorphism is a variant of the structure of hash proof systems, which weresrst introduced by Cramer and Shoup as a paradigm for provi... |

16 | Public-key encryption in the bounded-retrieval model
- Alwen, Naor, et al.
- 2010
(Show Context)
Citation Context ...om oracle model was provided by Boneh, Gentry, and Hamburg [7]. Leakage-resilient IBE schemes in various models have also been constructed, for example by Alwen, Dodis, Naor, Segev, Walsh, and Wichs =-=[2]-=-, by Brakerski, Kalai, Katz, and Vaikuntanathan [10], and by Lewko, Rouselakis, and Waters [26]. The property we require for our PKE schemes in addition to key homomorphism is a variant of the structu... |

16 | Homomorphic encryption: From private-key to public-key
- Rothblum
- 2011
(Show Context)
Citation Context ...now of general constructions. One way to put some order in the picture is to investigate reductions between the various primitives. A beautiful example of such a result was recently shown by Rothblum =-=[29]-=-, who demonstrated a simple reduction between any semantically secure private key encryption scheme which possesses a simple homomorphic property over its ciphertexts to a full- edged semantically sec... |

11 |
Ecient identity-based ecnryption without random oracles
- Waters
(Show Context)
Citation Context ...imately, fully (unrelaxed) secure IBEs were constructed in the standard model (without assuming random oracles) under the decisional Bilinear Die-Hellman assumption by Boneh and Boyen [5] and Waters =-=[34]-=-, and most recently under the LWE assumption by Cash, Hofheinz, Kiltz, and Peikert [12] and Agrawal, Boneh, and Boyen [1]. Constructing a fully secure (or even selectively secure) IBE without resortin... |

5 | Sridhar Rajagopalan, and Amit Sahai. Coding constructions for blacklisting problems without computational assumptions - Kumar - 1999 |

5 | and Tran van Trung. Some new results on key distribution patterns and broadcast encryption. Des - Stinson - 1998 |