Showing papers on "Ciphertext published in 2007"
20 May 2007
TL;DR: A system for realizing complex access control on encrypted data that is conceptually closer to traditional access control methods such as role-based access control (RBAC) and secure against collusion attacks is presented.
Abstract: In several distributed systems a user should only be able to access data if a user posses a certain set of credentials or attributes. Currently, the only method for enforcing such policies is to employ a trusted server to store the data and mediate access control. However, if any server storing the data is compromised, then the confidentiality of the data will be compromised. In this paper we present a system for realizing complex access control on encrypted data that we call ciphertext-policy attribute-based encryption. By using our techniques encrypted data can be kept confidential even if the storage server is untrusted; moreover, our methods are secure against collusion attacks. Previous attribute-based encryption systems used attributes to describe the encrypted data and built policies into user's keys; while in our system attributes are used to describe a user's credentials, and a party encrypting data determines a policy for who can decrypt. Thus, our methods are conceptually closer to traditional access control methods such as role-based access control (RBAC). In addition, we provide an implementation of our system and give performance measurements.
4,364 citations
05 Jun 2007
TL;DR: In this paper, the problem of identity-based proxy re-encryption is addressed, where ciphertexts are transformed from one identity to another without seeing the underlying plaintext.
Abstract: In a proxy re-encryption scheme a semi-trusted proxy converts a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. A number of solutions have been proposed in the public-key setting. In this paper, we address the problem of Identity-Based proxy re-encryption, where ciphertexts are transformed from one identityto another. Our schemes are compatible with current IBE deployments and do not require any extra work from the IBE trusted-party key generator. In addition, they are non-interactive and one of them permits multiple re-encryptions. Their security is based on a standard assumption (DBDH) in the random oracle model.
748 citations
28 Oct 2007
TL;DR: In this article, a CP-ABE scheme with AND gates on positive and negative attributes is proposed, which is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.
Abstract: In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user's attribute set satisfies the ciphertext access structure. This provides fine-grained access control on shared data in many practical settings, e.g., secure database and IP multicast.In this paper, we study CP-ABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. We then apply the Canetti-Halevi-Katz technique to obtain a chosen ciphertext (CCA) secure extension using one-time signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive.In addition, we introduce hierarchical attributes to optimize our basic scheme - reducing both ciphertext size and encryption/decryption time while maintaining CPA security. We conclude with a discussion of practical applications of CP-ABE.
729 citations
Posted Content•
TL;DR: A scheme for predicates corresponding to the evaluation of inner products over ℤN (for some large integer N) is constructed, which enables constructions in which predicates correspond to the Evaluation of disjunctions, polynomials, CNF/DNF formulas, thresholds, and more.
Abstract: Predicate encryption is a new paradigm for public-key encryption that generalizes identity-based encryption and more. In predicate encryption, secret keys correspond to predicates and ciphertexts are associated with attributes; the secret key SK f corresponding to a predicate f can be used to decrypt a ciphertext associated with attribute I if and only if f(I)=1. Constructions of such schemes are currently known only for certain classes of predicates.
We construct a scheme for predicates corresponding to the evaluation of inner products over ? N (for some large integer N). This, in turn, enables constructions in which predicates correspond to the evaluation of disjunctions, polynomials, CNF/DNF formulas, thresholds, and more. Besides serving as a significant step forward in the theory of predicate encryption, our results lead to a number of applications that are interesting in their own right.
705 citations
Posted Content•
TL;DR: In this article, a CP-ABE scheme with AND gates on positive and negative attributes is proposed, which is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption.
Abstract: In ciphertext policy attribute-based encryption (CP-ABE), every secret key is associated with a set of attributes, and every ciphertext is associated with an access structure on attributes. Decryption is enabled if and only if the user’s attribute set satisfies the ciphertext access structure. This provides fine-grained access control on shared data in many practical settings, including secure databases and secure multicast. In this paper, we study CP-ABE schemes in which access structures are AND gates on positive and negative attributes. Our basic scheme is proven to be chosen plaintext (CPA) secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. We then apply the Canetti-HaleviKatz technique to obtain a chosen ciphertext (CCA) secure extension using one-time signatures. The security proof is a reduction to the DBDH assumption and the strong existential unforgeability of the signature primitive. In addition, we introduce hierarchical attributes to optimize our basic scheme—reducing both ciphertext size and encryption/decryption time while maintaining CPA security. Finally, we propose an extension in which access policies are arbitrary threshold trees, and we conclude with a discussion of practical applications of CP-ABE.
670 citations
28 Oct 2007
TL;DR: Ateniese et al. as discussed by the authors proposed a security against chosen ciphertext attacks for proxy re-encryption (PRE) schemes based on the Decisional Bilinear Diffie-Hellman assumption.
Abstract: In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a different key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a definition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satisfies the definition. Our construction is efficient and based only on the Decisional Bilinear Diffie-Hellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based definition and simulation-based definitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.
477 citations
Posted Content•
TL;DR: Ateniese et al. as mentioned in this paper proposed a denition of security against chosen ciphertext attacks for proxy re-encryption (PRE) schemes, and presented a scheme that satises the denition.
Abstract: In a proxy re-encryption (PRE) scheme, a proxy is given special information that allows it to translate a ciphertext under one key into a ciphertext of the same message under a dierent key. The proxy cannot, however, learn anything about the messages encrypted under either key. PRE schemes have many practical applications, including distributed storage, email, and DRM. Previously proposed re-encryption schemes achieved only semantic security; in contrast, applications often require security against chosen ciphertext attacks. We propose a denition of security against chosen ciphertext attacks for PRE schemes, and present a scheme that satises the denition. Our construction is ecient and based only on the Decisional Bilinear DieHellman assumption in the standard model. We also formally capture CCA security for PRE schemes via both a game-based denition and simulation-based denitions that guarantee universally composable security. We note that, simultaneously with our work, Green and Ateniese proposed a CCA-secure PRE, discussed herein.
434 citations
02 Jul 2007
TL;DR: This work constructs an efficient PECK scheme whose security is proven over a decisional linear Diffie-Hellman assumption in the random oracle model, and has the shortest ciphertext size and private key size, and requires a comparable computation overhead.
Abstract: We study the problem of a public key encryption with conjunctive keyword search (PECK). The keyword searchable encryption enables a user to outsource his data to the storage of an untrusted server and to have the ability to selectively search his data without leaking information. The PECK scheme provides the document search containing each of several keywords over a public key setting. First, we construct an efficient PECK scheme whose security is proven over a decisional linear Diffie-Hellman assumption in the random oracle model. In comparison with previous schemes, our scheme has the shortest ciphertext size and private key size, and requires a comparable computation overhead. Second, we discuss problems related to the security proof of previous schemes and show they cannot guarantee complete security. Finally, we introduce a new concept called a multi-user PECK scheme, which can achieve an efficient computation and communication overhead and effectively manage the storage in a server for a number of users.
432 citations
21 Feb 2007
TL;DR: The main construction generalizes the approach of Kushilevitz and Ostrovsky for constructing single-server Private Information Retrieval protocols and shows how to strengthen the above so that c′ does not contain additional information about P (other than P(x) for some x) even if the public key and the ciphertext c are maliciously formed.
Abstract: We present a public-key encryption scheme with the following properties. Given a branching program P and an encryption c′ of an input x, it is possible to efficiently compute a succinct ciphertext c′ from which P(x) can be efficiently decoded using the secret key. The size of c′ depends polynomially on the size of x and the length of P, but does not further depend on the size of P. As interesting special cases, one can efficiently evaluate finite automata, decision trees, and OBDDs on encrypted data, where the size of the resulting ciphertext c′ does not depend on the size of the object being evaluated. These are the first general representation models for which such a feasibility result is shown. Our main construction generalizes the approach of Kushilevitz and Ostrovsky (FOCS 1997) for constructing single-server Private Information Retrieval protocols.
We also show how to strengthen the above so that c′ does not contain additional information about P (other than P(x) for some x) even if the public key and the ciphertext c are maliciously formed. This yields a two-message secure protocol for evaluating a length-bounded branching program P held by a server on an input x held by a client. A distinctive feature of this protocol is that it hides the size of the server's input P from the client. In particular, the client's work is independent of the size of P.
250 citations
09 Oct 2007
TL;DR: Two identity-based proxy re-encryption schemes are proposed, one of which is efficient in both computation and ciphertext length, and the other achieves chosen-ciphertext security.
Abstract: A proxy re-encryption scheme allows Alice to temporarily delegate the decryption rights to Bob via a proxy. Alice gives the proxy a re-encryption key so that the proxy can convert a ciphertext for Alice into the ciphertext for Bob. In this paper, we propose two identity-based proxy re-encryption schemes, which are both proved secure in the standard model. The first one is efficient in both computation and ciphertext length, and the other one achieves chosen-ciphertext security. Our solutions answer the open problems left in the previous work.
228 citations
20 May 2007
TL;DR: A homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous, and allows efficient proofs that a committed plaintext is encrypted under a committed key.
Abstract: We present an efficient construction of Yao's "garbled circuits" protocol for securely computing any two-party circuit on committed inputs. The protocol is secure in a universally composable way in the presence of maliciousadversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (four-five in the standard model, two-three in the random oracle model, depending on whether both parties receive the output), O(|C|) modular exponentiations per player, and a bandwidth of O(|C|) group elements, where |C| is the size of the computed circuit.
Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous(it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key.
Our second tool is a practical four-round (two-round in ROM) protocol for committedoblivious transfer on strings(string-COT) secure against malicious participants. The string-COT protocol takes a few exponentiations per player, and is UC-secure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (non-committed) OT on strings.
Posted Content•
TL;DR: In this article, the authors presented an IBE system in which ciphertext size is short: an encryption of an ‘-bit message consists of a single element in Z/NZ plus ‘+1 additional bits.
Abstract: Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space efficient IBE system without pairings. In this paper we present an IBE system in which ciphertext size is short: an encryption of an ‘-bit message consists of a single element in Z/NZ plus ‘+1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.
Proceedings Article•
01 Jan 2007TL;DR: In this article, the authors presented an IBE system in which ciphertext size is short: an encryption of an ‘-bit message consists of a single element in Z/NZ plus ‘+1 additional bits.
Abstract: Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space efficient IBE system without pairings. In this paper we present an IBE system in which ciphertext size is short: an encryption of an ‘-bit message consists of a single element in Z/NZ plus ‘+1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.
21 Feb 2007
TL;DR: This work presents the first positive obfuscation result for a traditional cryptographic functionality that takes a ciphertext for message m encrypted under Alice's public key and transforms it into a cipher Text for the same message m under Bob's public public key.
Abstract: We present the first positive obfuscation result for a traditional cryptographic functionality. This positive result stands in contrast to well-known negative impossibility results [BGI+01] for general obfuscation and recent negative impossibility and improbability [GK05] results for obfuscation of many cryptographic functionalities.
Whereas other positive obfuscation results in the standard model apply to very simple point functions, our obfuscation result applies to the significantly more complicated and widely-used re-encryption functionality. This functionality takes a ciphertext for message m encrypted under Alice's public key and transforms it into a ciphertext for the same message m under Bob's public key.
To overcome impossibility results and to make our results meaningful for cryptographic functionalities, we use a new definition of obfuscation. This new definition incorporates more security-aware provisions.
21 Oct 2007
TL;DR: This paper presents an IBE system in which ciphertext size is short: an encryption of an f.-bit message consists of a single element in Z/NZ plus lscr + 1 additional bits.
Abstract: Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space efficient IBE system without pairings. In this paper we present an IBE system in which ciphertext size is short: an encryption of an f.-bit message consists of a single element in Z/NZ plus lscr + 1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.
Proceedings Article•
23 Sep 2007TL;DR: A comprehensive study on answering SUM and AVG aggregation queries in a read-optimized DBMS for data warehousing applications by using a secure homomorphic encryption scheme in a novel way, demonstrating that the performance of such a solution is comparable to a traditional symmetric encryption scheme.
Abstract: As more sensitive data is captured in electronic form, security becomes more and more important. Data encryption is the main technique for achieving security. While in the past enterprises were hesitant to implement database encryption because of the very high cost, complexity, and performance degradation, they now have to face the ever-growing risk of data theft as well as emerging legislative requirements. Data encryption can be done at multiple tiers within the enterprise. Different choices on where to encrypt the data offer different security features that protect against different attacks. One class of attack that needs to be taken seriously is the compromise of the database server, its software or administrator. A secure way to address this threat is for a DBMS to directly process queries on the ciphertext, without decryption. We conduct a comprehensive study on answering SUM and AVG aggregation queries in such a system model by using a secure homomorphic encryption scheme in a novel way. We demonstrate that the performance of such a solution is comparable to a traditional symmetric encryption scheme (e.g., DES) in which each value is decrypted and the computation is performed on the plaintext. Clearly this traditional encryption scheme is not a viable solution to the problem because the server must have access to the secret key and the plaintext, which violates our system model and security requirements. We study the problem in the setting of a read-optimized DBMS for data warehousing applications, in which SUM and AVG are frequent and crucial.
Journal Article•
TL;DR: An Efficient Chaos-Based Feedback Stream Cipher (ECBFSC) for Image Encryption and Decryption
Abstract: An Efficient Chaos-Based Feedback Stream Cipher (ECBFSC) for Image Encryption and Decryption
Patent•
07 Nov 2007
TL;DR: In this paper, a robust computational secret sharing scheme that provides for the efficient distribution and subsequent recovery of a private data is disclosed, where a cryptographic key may be randomly generated and then shared using a secret sharing algorithm to generate a collection of key shares.
Abstract: A robust computational secret sharing scheme that provides for the efficient distribution and subsequent recovery of a private data is disclosed. A cryptographic key may be randomly generated and then shared using a secret sharing algorithm to generate a collection of key shares. The private data may be encrypted using the key, resulting in a ciphertext. The ciphertext may then be broken into ciphertext fragments using an Information Dispersal Algorithm. Each key share and a corresponding ciphertext fragment are provided as input to a committal method of a probabilistic commitment scheme, resulting in a committal value and a decommittal value. The share for the robust computational secret sharing scheme may be obtained by combining the key share, the ciphertext fragment, the decommittal value, and the vector of committal values.
01 Jan 2007
TL;DR: Methods of generating self-invertible matrix for Hill Cipher algorithm have been proposed, which eliminates the computational complexity involved in finding inverse of the matrix while decryption.
Abstract: In this paper, methods of generating self-invertible matrix for Hill Cipher algorithm have been proposed. The inverse of the matrix used for encrypting the plaintext does not always exist. So, if the matrix is not invertible, the encrypted text cannot be decrypted. In the self-invertible matrix generation method, the matrix used for the encryption is itself self-invertible. So, at the time of decryption, we need not to find inverse of the matrix. Moreover, this method eliminates the computational complexity involved in finding inverse of the matrix while decryption.
TL;DR: In DNASC, billions of DNA probes are hybridized and identified at the same time, thus the decryption process is conducted in a massive, parallel way, and the great potential in vast parallelism computation and the extraordinary information density of DNA are displayed to some degree.
Abstract: DNA cryptography is a new field which has emerged with progress in the research of DNA computing. In our study, a symmetric-key cryptosystem was designed by applying a modern DNA biotechnology, microarray, into cryptographic technologies. This is referred to as DNA symmetric-key cryptosystem (DNASC). In DNASC, both encryption and decryption keys are formed by DNA probes, while its ciphertext is embedded in a specially designed DNA chip (microarray). The security of this system is mainly rooted in difficult biology processes and problems, rat
01 Jan 2007
TL;DR: The results show that for such a 64–bit SPN using 8 8 s- boxes, the number of s-boxes involved in any2 rounds of a linear approximation or adifferential characteristic is equal to 8 with probability exceeding 0 : 8.
Abstract: A.M. Youssef, S. Mister and S.E. TavaresDepartment Of Electrical and Computer EngineeringQueen’s University, Kingston, Ontario, Canada, K7L 3N6E-mail: {amr_y, misters and tavares}@ee.queensu.cahttp://adonis.ee.queensu.ca:8000Abstract— In this paper we study the security of Substitution Permutation Encryption Networks(SPNs) with randomly selected bijective substitution boxes and a randomly selected invertiblelinear transformation layer. In particular, our results show that for such a 64–bit SPN using8 8 s-boxes, the number of s-boxes involved in any2 rounds of a linear approximation or adifferential characteristic is equal to 8 with probability exceeding 0 : 8 . For these SPNs the numberof plaintext/ciphertext pairs that are required for the basic linear and differential cryptanalysisexceeds 2
Patent•
07 Dec 2007TL;DR: In this paper, a method of encrypting a message for message integrity is provided, in which a random number is generated, a first ciphertext is generated by encrypting the message by using the generated random number, a hash value of the first ciphers is calculated, an encryption key is generated using the hash value and a shared key, and the first and second ciphertexts are combined.
Abstract: A method of encrypting a message for message integrity is provided. In the method, a random number is generated, a first ciphertext is generated by encrypting the message by using the generated random number, a hash value of the first ciphertext is calculated, an encryption key is generated by using the hash value of the first ciphertext and a shared key, a second ciphertext is generated by encrypting the random number by using the encryption key, and the first and second ciphertexts are combined.
16 Apr 2007
TL;DR: Wang, Yang, Hu and Lai as mentioned in this paper used the second order linearization equation attack method by Patarin to break the Medium Field Equation (MFE) multivariate public key cryptosystem.
Abstract: In the CT-track of the 2006 RSA conference, a new multivariate public key cryptosystem, which is called the Medium Field Equation (MFE) multivariate public key cryptosystem, is proposed by Wang, Yang, Hu and Lai. We use the second order linearization equation attack method by Patarin to break MFE. Given a ciphertext, we can derive the plaintext within 223 F216-multiplications, after performing once for any given public key a computation of complexity less than 252. We also propose a high order linearization equation (HOLE) attack on multivariate public key cryptosystems, which is a further generalization of the (first and second order) linearization equation (LE). This method can be used to attack extensions of the current MFE.
01 Jan 2007
TL;DR: A group-oriented CAE scheme with (t, n) shared verification was proposed in this article, which enables one signer to send a confidential message along with the signature to the designated group of n recipients.
Abstract: Conventional authenticated encryption (AE) schemes put emphasis on the one-to-one setting, which allow one signer to produce an authenticated ciphertext such that only the designated recipient can recover the message and verify its corresponding signature. To meet the need of diversified applications which require simultaneously fulfilling the security requirements of integrity, authenticity, confidentiality and non-repudiation, this paper presents a group-oriented convertible authenticated encryption (CAE) scheme with (t, n) shared verification. Designed mainly for the multi-user setting, the proposed scheme enables one signer to send a confidential message along with the signature to the designated group of n recipients. Any t or more of n designated recipients can cooperatively recover the message and verify its signature while less than or equal to t − 1 can not. Moreover, in case of a later dispute over repudiation, the designated group of recipients has the ability to convert the signature into an ordinary one for convincing anyone of the signer’s dishonesty.
Patent•
06 Mar 2007TL;DR: In this article, the authentication response type byte is sent to the mobile phone, followed by the response byte, which is then compared to the plaintext/cyphertext pair, then pre-stored in the phone.
Abstract: A communication protocol between a master device, such as a mobile phone, and a peripheral device facilitates authentication of the peripheral device. When a peripheral device is detected, the master device initiates a wake-up command to the peripheral device, transmits an authentication request command followed by challenge data to the peripheral device, and awaits responses from the peripheral device. The accessory receives the challenge data, performs a hash function on the challenge data, and generates response data. An authentication response type byte is sent to the handset followed by the response data. The handset compares the response data to pre-stored data that is associated with the challenge data. A match indicates that the accessory is authentic. The challenge/response data, also referred to as a plaintext/cyphertext pair, is pre-generated external to the handset using the hash function, then pre-stored in the handset.
Patent•
IBM1
TL;DR: In this article, a tag tree is generated by means of the authentication tags and the ciphertext data blocks and the tag tree data are stored in an untrusted storage, and the root tag of the tag trees is stored in a trusted storage.
Abstract: Techniques for encryption and authentication of data. One or more plaintext data blocks ciphertext data blocks and corresponding authentication tags are generated by means of authenticated encryption. A tag tree is generated by means of the authentication tags. The ciphertext data blocks and the tag tree data of the tag tree are stored in an untrusted storage, and the root tag of the tag tree is stored in a trusted storage.
16 Apr 2007
TL;DR: These attacks can be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key.
Abstract: We present new and efficient key-recovery chosen-ciphertext attacks on NTRUencrypt. Our attacks are somewhat intermediate between chosen-ciphertext attacks on NTRUencrypt previously published at CRYPTO '00 and CRYPTO '03. Namely, the attacks only work in the presence of decryption failures; we only submit valid ciphertexts to the decryption oracle, where the plaintexts are chosen uniformly at random; and the number of oracle queries is small. Interestingly, our attacks can also be interpreted from a provable security point of view: in practice, if one had access to a NTRUencrypt decryption oracle such that the parameter set allows decryption failures, then one could recover the secret key. For instance, for the initial NTRU-1998 parameter sets, the output of the decryption oracle on a single decryption failure is enough to recover the secret key.
Patent•
13 Jul 2007TL;DR: In this paper, an authenticated encryption method and apparatus are described in which plaintext data is encrypted, using a secret key, to form ciphertext data and a message authentication code, MAC, is also formed in dependence on a combination of the ciphertext and data characteristic of the plaintext.
Abstract: An authenticated encryption method and apparatus are described in which plaintext data is encrypted, using a secret key, to form ciphertext data. A message authentication code, MAC, is also formed in dependence on a combination of the ciphertext data and data characteristic of the plaintext data. The ciphertext data and the MAC are then output, for example, for storage to a storage medium. In a preferred embodiment a block cipher operating in GCM mode is adapted to cause the stored message authentication code to be dependent on the plaintext data.
05 Jun 2007
TL;DR: Two transforms to acquire chosen ciphertext security from tag based techniques are presented and preserve the public verifiability of underlying primitives, and can be extended to hierarchical identity based encryption (HIBE) and threshold settings.
Abstract: We present two transforms to acquire chosen ciphertext security from tag based techniques The first one requires the separability of underlying primitives By separability, informally, we mean the encryption algorithm has special structures and can process the identity and the message independently Compared with generic transforms [8],it significantly reduces the ciphertext size overhead with only marginal computation cost Compared with [11], the only known technique which directly achieves chosen ciphertext secure public key encryption from separable identity based primitives, it only requires selective-Tag/ID security of underlying primitives Our second transform is less efficient but performs generically Both transforms preserve the public verifiability of underlying primitives, and can be extended to hierarchical identity based encryption (HIBE) and threshold settings As an independent interest, we also investigate the security requirements of chameleon hash functions to build strongly unforgeable one-time signatures
02 Dec 2007
TL;DR: This work presents a minimalist public-key cryptosystem, as compact as ElGamal, but with adaptive chosen-ciphertext security under the gap Diffie-Hellman assumption in the random oracle model, with a dual-hash device that provides tight redundancy-free implicit validation.
Abstract: We present a minimalist public-key cryptosystem, as compact as ElGamal, but with adaptive chosen-ciphertext security under the gap Diffie-Hellman assumption in the random oracle model. The novelty is a dual-hash device that provides tight redundancy-free implicit validation. Compared to previous constructions, ours features a tight security reduction, both in efficacy and efficiency, to a classic and essentially non-interactive complexity assumption, and without resorting to asymmetric/symmetric-key hybrid constructions. The system is very compact: on elliptic curves with 80-bit security, a 160-bit plaintext becomes a 320-bit ciphertext. It is also very simple and has a number of practical advantages, and we hope to see it adopted widely.