Showing papers on "Attribute-based encryption published in 2006"
30 Oct 2006
TL;DR: This work develops a new cryptosystem for fine-grained sharing of encrypted data that is compatible with Hierarchical Identity-Based Encryption (HIBE), and demonstrates the applicability of the construction to sharing of audit-log information and broadcast encryption.
Abstract: As more sensitive data is shared and stored by third-party sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarse-grained level (i.e., giving another party your private key). We develop a new cryptosystem for fine-grained sharing of encrypted data that we call Key-Policy Attribute-Based Encryption (KP-ABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of audit-log information and broadcast encryption. Our construction supports delegation of private keys which subsumesHierarchical Identity-Based Encryption (HIBE).
4,257 citations
TL;DR: The results of several experimental, statistical analysis and key sensitivity tests show that the proposed image encryption scheme provides an efficient and secure way for real-time image encryption and transmission.
1,109 citations
Journal Article•
TL;DR: It is demonstrated that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary's maximal advantage against triple encryption is small until it asks about 278 queries.
Abstract: We show that, in the ideal-cipher model, triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption, thereby resolving a long-standing open problem. Our result demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary's maximal advantage against triple encryption is small until it asks about 2 78 queries. Our proof uses code-based game-playing in an integral way, and is facilitated by a framework for such proofs that we provide.
704 citations
28 May 2006
TL;DR: In this article, it was shown that triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption in the ideal-cipher model.
Abstract: We show that, in the ideal-cipher model, triple encryption (the cascade of three independently-keyed blockciphers) is more secure than single or double encryption, thereby resolving a long-standing open problem. Our result demonstrates that for DES parameters (56-bit keys and 64-bit plaintexts) an adversary's maximal advantage against triple encryption is small until it asks about 278 queries. Our proof uses code-based game-playing in an integral way, and is facilitated by a framework for such proofs that we provide.
551 citations
30 Oct 2006
TL;DR: A novel secure information management architecture based on emerging attribute-based encryption (ABE) primitives is introduced and a policy system that meets the needs of complex policies is defined and illustrated and cryptographic optimizations that vastly improve enforcement efficiency are proposed.
Abstract: Attributes define, classify, or annotate the datum to which they are assigned. However, traditional attribute architectures and cryptosystems are ill-equipped to provide security in the face of diverse access requirements and environments. In this paper, we introduce a novel secure information management architecture based on emerging attribute-based encryption (ABE) primitives. A policy system that meets the needs of complex policies is defined and illustrated. Based on the needs of those policies, we propose cryptographic optimizations that vastly improve enforcement efficiency. We further explore the use of such policies in two example applications: a HIPAA compliant distributed file system and a social network. A performance analysis of our ABE system and example applications demonstrates the ability to reduce cryptographic costs by as much as 98% over previously proposed constructions. Through this, we demonstrate that our attribute system is an efficient solution for securely managing information in large, loosely-coupled, distributed systems.
463 citations
Journal Article•
TL;DR: In this paper, a non-interactive chosen ciphertext secure threshold encryption system is presented, which is based on the identity-based encryption system of Boneh and Boyen and the chosen-ciphertext secure construction of Canetti, Halevi, and Katz.
Abstract: We present a non-interactive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.
153 citations
Journal Article•
TL;DR: The results have been analyzed and interpreted as mathematical equations showing the relationship between the examined data and hence can be used to predict any future performance of the algorithm under different conditions.
Abstract: Analysis of the effect of different parameters of the RC4 encryption algorithm where examined. Some experimental work was performed to illustrate the performance of this algorithm based on changing some of these parameters. The execution time as a function of the encryption key length and the file size was examined; this has been stated as complexity and security. Various data types were analyzed and the role of the data type was also emphasized. The results have been analyzed and interpreted as mathematical equations showing the relationship between the examined data and hence can be used to predict any future performance of the algorithm under different conditions. The order of the polynomial to approximate the execution time was justified.
118 citations
TL;DR: In this paper, the Boneh-Franklin identity-based encryption (IBE) scheme was used to obtain a strongly key-insulated encryption scheme with an optimal threshold.
Abstract: Key-insulated encryption schemes use a combination of key splitting and key evolution to protect against key exposure. Existing schemes, however scale poorly, having cost proportional to the number t of time periods that may be compromised by the adversary, and thus are practical only for small values of t. Yet in practice t might be large.This paper presents a strongly key-insulated encryption scheme with optimal threshold. In our scheme, t need not be known in advance and can be as large as one less than the total number of periods, yet the cost of the scheme is not impacted. This brings key-insulated encryption closer to practice. Our scheme is based on the Boneh-Franklin identity-based encryption (IBE) scheme [9], and exploits algebraic properties of the latter.Another contribution of this paper is to show that (not strongly) key-insulated encryption with optimal threshold and allowing random-access key updates (which our scheme and all others known allow) is equivalent to a restricted form of IBE. This means that the connection between key-insulated encryption and IBE is not accidental.
92 citations
20 Aug 2006
TL;DR: This work shows how to transform any semantically secure encryption scheme into one that is non-malleable for arbitrarily many messages.
Abstract: There are several candidate semantically secure encryption schemes, yet in many applications non-malleability of encryptions is crucial. We show how to transform any semantically secure encryption scheme into one that is non-malleable for arbitrarily many messages.
86 citations
Patent•
19 Jan 2006TL;DR: In this paper, a method and system for deriving an encryption key (800) using joint randomness not shared by others (JKNSO) is presented. But the method is not suitable for the secure transmission of data.
Abstract: The present invention is related to a method and system for deriving an encryption key(800) using joint randomness not shared by others(JKNSO). Communicating entities generate JRNSO bits(816) from a channel impulse response(CIR) estimate and the JRNSO bits are used in generation of an encryption key. The authentication type may be IEEE 802.1 x or a pre-shared key system. In an IEEE 802. Ix system, a master key, a pairwise master key or a pairwise transient key may be generated using the JRNSO bits. The encryption key key(828) may be generated by using a Diffie-Hellman key derivation algorithm.
85 citations
13 Feb 2006
TL;DR: This work presents a non-interactive chosen ciphertext secure threshold encryption system that uses the recent identity based encryption system of Boneh and Boyen and the chosen cipher text secure construction of Canetti, Halevi, and Katz.
Abstract: We present a non-interactive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.
Patent•
07 Apr 2006
TL;DR: In this article, an identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device, where the authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data.
Abstract: An identification tag for authenticating a product is associated with the product and has authentication data transmissible to a reader device. The authentication data include source data including a tag identifier that uniquely identifies the identification tag and a signature value that is a result of a private key encryption of a representation of the source data, where the private key encryption uses a private key of a public key encryption method.
TL;DR: A family of encryption schemes is presented that guarantee that for any message space in {0, 1}n with minimum entropy n-lscr and for any Boolean function h:{0,1}n rarr {0-1}, no adversary can predict h(m) from the ciphertext of m with more than 1/nomega(1) advantage.
Abstract: The symmetric encryption problem which manifests itself when two parties must securely transmit a message m with a short shared secret key is considered in conjunction with a computationally unbounded adversary. As the adversary is unbounded, any encryption scheme must leak information about m; in particular, the mutual information between m and its ciphertext cannot be zero. Despite this, a family of encryption schemes is presented that guarantee that for any message space in {0,1}n with minimum entropy n-lscr and for any Boolean function h:{0,1}n rarr {0,1}, no adversary can predict h(m) from the ciphertext of m with more than 1/nomega(1) advantage; this is achieved with keys of length lscr+omega(logn). In general, keys of length lscr+s yield a bound of 2-Theta(s) on the advantage. These encryption schemes rely on no unproven assumptions and can be implemented efficiently. Applications of this to cryptosystems based on complexity-theoretic assumptions are discussed and, in addition, a simplified proof of a fundamental "elision lemma" of Goldwasser and Micali is provided
03 Apr 2006
TL;DR: In this article, an identity-based key encapsulation mechanism (ID-KEM) was proposed to build a secure identity based encryption scheme using the techniques of Bentahar et al. The resulting encryption scheme has a number of performance advantages over existing methods.
Abstract: This work presented an identity-based key encapsulation mechanism (ID-KEM). It is possible to use this ID-KEM to build a secure identity based encryption scheme using the techniques of Bentahar et al. The resulting encryption scheme has a number of performance advantages over existing methods. The proposed algorithm has been used in the industry (for example by Identum Ltd.) and is included in the IEEE P1363.3 standard draft.
Posted Content•
TL;DR: In this article, a practical identity-based encryption scheme that is secure in the standard model against chosen-ciphertext (IND-CCA2) attacks is described, which is based on an assumption similar to (but slightly stronger than) Bilinear Decisonal Di-e-Hellman (BDDH).
Abstract: We describe a practical identity-based encryption scheme that is secure in the standard model againstchosen-ciphertext(IND-CCA2)attacks. Securityisbasedonanassumptioncomparableto (but slightly stronger than) Bilinear Decisonal Di‐e-Hellman (BDDH). A comparison shows that our construction outperforms all known identity-based encryption schemes in the standard model anditsperformanceisevencomparablewiththeonefromtherandom-oraclebasedBoneh/Franklin IBEscheme. OurproposedIBEschemehasfurthermorethepropertythatitfulflllssomenotionof \redundancy-freeness",i.e. theencryptionalgorithmisnotonlyaprobabilisticinjectionbutalsoa surjection. As a consequence the ciphertext overhead is nearly optimal: to encrypt k bit messages for k bit identities and with k bit randomness we get 3k bit ciphertexts to guarantee (roughly) k bits of security.
03 Jul 2006
TL;DR: A stream cipher that provides confidentiality, traceability and renewability in the context of broadcast encryption and is the first to provide a formal security proof and a non-constant lower bound for resistance against collusion of malicious users.
Abstract: We propose a stream cipher that provides confidentiality, traceability and renewability in the context of broadcast encryption. We prove it to be as secure as the generic pseudo-random sequence on which it operates. This encryption scheme, termed fingercasting scheme, achieves joint decryption and fingerprinting of broadcast messages in such a way that an adversary cannot separate both operations or prevent them from happening simultaneously. The scheme is a combination of a broadcast encryption scheme, a fingerprinting scheme and an encryption scheme inspired by the Chameleon cipher. It is the first to provide a formal security proof and a non-constant lower bound for resistance against collusion of malicious users i.e., a minimum number of content copies needed to remove all fingerprints. The scheme is efficient and includes parameters that allow, for example, to trade-off storage size for computation cost at the receiving end.
TL;DR: This work presents and analyze an adaptive chosen ciphertext secure (IND-CCA) identity-based encryption scheme (IBE) based on the well studied Decisional Diffie-Hellman (DDH) assumption that is provably secure in the standard model assuming the adversary can corrupt up to a maximum of k users adaptively.
Abstract: We present and analyze an adaptive chosen ciphertext secure (IND-CCA) identity-based encryption scheme (IBE) based on the well studied Decisional Diffie-Hellman (DDH) assumption. The scheme is provably secure in the standard model assuming the adversary can corrupt up to a maximum of k users adaptively. This is contrary to the Boneh-Franklin scheme which holds in the random-oracle model.
TL;DR: In this paper, Boneh and Franklin proposed an identity-based encryption (IBE) scheme that is escrow free in that no credentialissuing authority (or colluding set of credential-issuing authorities) is able to decrypt ciphertexts itself, provided the users' public keys are properly certified.
Abstract: Since Boneh and Franklin published their seminal paper on identity based encryption (IBE) using the Weil pairing, there has been a great deal of interest in cryptographic primitives based on elliptic-curve pairings. One particularly interesting application has been to control access to data, via possibly complex policies. In this paper we continue the research in this vein. We present an encryption scheme such that the receiver of an encrypted message can only decrypt if it satisfies a particular policy chosen by the sender at the time of encryption. Unlike standard IBE, our encryption scheme is escrow free in that no credential-issuing authority (or colluding set of credential-issuing authorities) is able to decrypt ciphertexts itself, providing the users' public keys are properly certified. In addition we describe a security model for the scenario in question and provide proofs of security for our scheme (in the random oracle model).
04 Dec 2006
TL;DR: An image encryption and decryption process based on SCAN patterns generated by the SCAN methodology, which can efficiently specify and generate a wide range of scanning paths.
Abstract: This paper proposed an image encryption and decryption process. Its encryption method is based on SCAN patterns generated by the SCAN methodology. The SCAN is a language-based two-dimensional spatial-accessing methodology which can efficiently specify and generate a wide range of scanning paths. Then scanning paths sequence fill in original image. Note that the scanning paths with random code generating procedure, which produces the encryption keys in a very many ways; so come to the quite secret system. This paper presents a brief overview of SCAN, encryption and decryption algorithms, and test results of the methodology.
Journal Article•
TL;DR: Using nine different security notions for KEMs, ten for DEMs, and six for PKE schemes, this work completely characterize which combinations lead to a secure hybrid PKE scheme and which do not and revisit and extend prior work on the relation among security notions.
Abstract: The KEM/DEM hybrid encryption paradigm combines the efficiency and large message space of secret key encryption with the advantages of public key cryptography. Due to its simplicity and flexibility, the approach has ever since gained increased popularity and has been successfully adapted in encryption standards. In hybrid public key encryption (PKE), first a key encapsulation mechanism (KEM) is used to fix a random session key that is then fed into a highly efficient data encapsulation mechanism (DEM) to encrypt the actual message. A composition theorem states that if both the KEM and the DEM have the highest level of security (i.e. security against chosen-ciphertext attacks), then so does the hybrid PKE scheme. It is not known if these strong security requirements on the KEM and DEM are also neccessary, nor if such general composition theorems exist for weaker levels of security. In this work we study neccessary and sufficient conditions on the security of the KEM and the DEM in order to guarantee a hybrid PKE scheme with a certain given level of security. More precisely, using nine different security notions for KEMs, ten for DEMs, and six for PKE schemes we completely characterize which combinations lead to a secure hybrid PKE scheme (by proving a composition theorem) and which do not (by providing counterexamples). Furthermore, as an independent result, we revisit and extend prior work on the relation among security notions for KEMs and DEMs.
03 Nov 2006
TL;DR: It is argued that well-typed, polynomial-time programs in the type system extended to address encryption and decryption satisfy a computational probabilistic noninterference property, provided that the encryption scheme is IND-CCA secure.
Abstract: Type systems for secure information flow aim to prevent a program from leaking information from variables classified as $H$ to variables classified as $L$. In this work we extend such a type system to address encryption and decryption; our intuition is that encrypting a $H$ plaintext yields a $L$ ciphertext. We argue that well-typed, polynomial-time programs in our system satisfy a computational probabilistic noninterference property, provided that the encryption scheme is IND-CCA secure. As a part of our proof, we first consider secure information flow in a language with a random assignment operator (but no encryption). We establish a result that may be of independent interest, namely, that well-typed, probabilistically total programs with random assignments satisfy probabilistic noninterference. We establish this result using a weak probabilistic bisimulation.
TL;DR: Both theoretical and experimental results show that the attacker can access to the secret key without difficulty and the lack of security discourages the use of such algorithm for practical applications.
03 Dec 2006
TL;DR: The notion of searchable broadcast encryption is formalized, which is a new generalization of public key encryption with keyword search, and the performances are comparable to those of the currently best single-user forward-secure public-key encryption scheme.
Abstract: We introduce a primitive called Hierarchical Identity- Coupling Broadcast Encryption (HICBE) that can be used for constructing efficient collusion-resistant public-key broadcast encryption schemes with extended properties such as forward-security and keyword- searchability. Our forward-secure broadcast encryption schemes have small ciphertext and private key sizes, in particular, independent of the number of users in the system. One of our best two constructions achieves ciphertexts of constant size and user private keys of size O(log2T), where T is the total number of time periods, while another achieves both ciphertexts and user private keys of size O(logT). These performances are comparable to those of the currently best single-user forward-secure public-key encryption scheme, while our schemes are designed for broadcasting to arbitrary sets of users. As a side result, we also formalize the notion of searchable broadcast encryption, which is a new generalization of public key encryption with keyword search. We then relate it to anonymous HICBE and present a construction with polylogarithmic performance.
27 Feb 2006
TL;DR: In this paper, the authors formalize the notion of secure timed-release public key encryption, and show that it is equivalent to strongly key-insulated public-key encryption (with optimal threshold and random access key updates).
Abstract: In this paper we consider two security notions related to Identity Based Encryption: Key-insulated public key encryption, introduced by Dodis, Katz, Xu and Yung; and Timed-Release Public Key cryptography, introduced independently by May and Rivest, Shamir and Wagner. We first formalize the notion of secure timed-release public key encryption, and show that, despite several differences in its formulation, it is equivalent to strongly key-insulated public key encryption (with optimal threshold and random access key updates). Next, we introduce the concept of an authenticated timed-release cryptosystem, briefly consider generic constructions, and then give a construction based on a single primitive which is efficient and provably secure.
Patent•
30 Mar 2006TL;DR: An encryption part or a decryption part of an encryption/decryption apparatus or a part common to both parts is used both for encryption and decryption of a datum to be stored and the encrypted memory content and for the generation of the address-individual key and the addressdependent key, respectively.
Abstract: An encryption part or a decryption part of an encryption/decryption apparatus or a part common to both parts is used both for encryption and decryption of a datum to be stored and the encrypted memory content and for the generation of the address-individual key and the address-dependent key, respectively.
03 May 2006
TL;DR: A novel database encryption scheme for enhanced data sharing inside a database, while preserving data privacy is proposed, characterized by both the fast speed of the conventional encryption and the convenience of key distribution of public key encryption.
Abstract: Database encryption is a crucial technique in the security mechanisms of database. It is widely recognized as one of the key issues of data security. Current techniques of sharing the keys and the encrypted data for databases are neither convenient nor flexible in the real applications. Inspired by the PGP technique, we propose a novel database encryption scheme for enhanced data sharing inside a database, while preserving data privacy. It is characterized by both the fast speed of the conventional encryption and the convenience of key distribution of public key encryption. It also provides secured storage for security related data and effective key management, which enables the encrypted data to be shared conveniently. The scheme has been implemented and successfully applied on Oscar, a commercial DBMS developed by us.
04 Dec 2006
TL;DR: This paper discusses how a scalable solution to enabling secure and decentralized discovery protocols can be implemented and put to use, and how to extend the WS-discovery Web service protocol with such mechanisms.
Abstract: Dynamic and self-organizing systems like those found in ubiquitous computing or semantic web based scenarios raise numerous challenges regarding trust and privacy. Service discovery is a basic feature of SOA deployment in such systems, given that entities need to locate services they can describe but that they do not necessarily know. PKI based solutions to securing this mechanism, which require a preliminary key distribution, are therefore rendered awkward and contrived. In contrast, the new concept of Attribute Based Encryption, derived from Identity Based Encryption schemes, makes it possible to create secret communication channels with unknown services based solely on some attributes that are part of their description and in a decentralized fashion, that is, without the introduction of any additional trusted third party like a registry. This paper discusses how such a scalable solution to enabling secure and decentralized discovery protocols can be implemented and put to use. After reviewing the security properties that are expected, the paper then goes on to detail how to extend the WS-Discovery Web Service protocol with such mechanisms. Preliminary experimental results based on an implementation of this extended protocol are finally presented.
Patent•
29 Mar 2006
TL;DR: In this article, the authors propose a temporary encryption key that can be used to delete data stored on removable storage media that has exceeded its desired lifespan, without destroying the data itself, rather metadata is deleted or the data is encrypted at the time it is written.
Abstract: Cryptographic keys or metadata implement timely deletion of data stored on removable storage media that has exceeded its desired lifespan. The data itself is not destroyed, rather metadata is deleted or the data is encrypted at the time it is written, and the encryption key used for the data is deleted. The data is thereby rendered incomprehensible. The encryption/decryption process may be performed in hardware by the device that reads/writes the removable storage media. The encryption/decryption process is transparent to software interfacing with the read/write device and is performed automatically whenever a piece of removable storage media is detected as having an encryption key present. Thus, this encryption does not provide confidentiality, although a separate confidentiality encryption key may be used to encrypt the temporary encryption key. In one embodiment a circuit within each case or carrier for removable storage media is capable of autonomously deleting the temporary encryption key.
11 Dec 2006
TL;DR: In this paper, the notion of key encapsulation mechanism supporting cryptographic workflow (WF-KEM) was defined and a KEM-DEM composition theorem was proved for the standard model.
Abstract: Following the work of Al-Riyami et al. we define the notion of key encapsulation mechanism supporting cryptographic workflow (WF-KEM) and prove a KEM-DEM composition theorem which extends the notion of hybrid encryption to cryptographic workflow. We then generically construct a WF-KEM from an identity-based encryption (IBE) scheme and a secret sharing scheme. Chosen ciphertext security is achieved using one-time signatures. Adding a public-key encryption scheme we are able to modify the construction to obtain escrow-freeness. We prove all our constructions secure in the standard model.
Patent•
18 Apr 2006TL;DR: In this paper, a system and methods for encrypting data, generating encryption keys, and generating encryption indicators are described. But the encryption indicators may be stored on a storage medium in a location separate from the location of stored encrypted data.
Abstract: Systems and methods are provided for encrypting data, generating encryption keys, and generating encryption indicators. The encryption indicators may be stored on a storage medium in a location separate from the location of stored encrypted data. The encryption indicator includes information indicative of the encryption key used for encrypting and decrypting the data. In one example, the storage medium is a tape, and the encryption indicator is stored in the user header label of the tape.