Showing papers on "Ciphertext published in 2008"

Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization.

Abstract: We present a new methodology for realizing Ciphertext-Policy Attribute Encryption (CP-ABE) under concrete and noninteractive cryptographic assumptions in the standard model. Our solutions allow any encryptor to specify access control in terms of any access formula over the attributes in the system. In our most efficient system, ciphertext size, encryption, and decryption time scales linearly with the complexity of the access formula. The only previous work to achieve these parameters was limited to a proof in the generic group model. We present three constructions within our framework. Our first system is proven selectively secure under a assumption that we call the decisional Parallel Bilinear Diffie-Hellman Exponent (PBDHE) assumption which can be viewed as a generalization of the BDHE assumption. Our next two constructions provide performance tradeoffs to achieve provable security respectively under the (weaker) decisional Bilinear-Diffie-Hellman Exponent and decisional Bilinear Diffie-Hellman assumptions.

A Framework for Efficient and Composable Oblivious Transfer

Abstract: We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are efficient, universally composable, and generally realizableunder any one of a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity and decisional composite residuosity assumptions, and worst-caselattice assumptions. Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide statisticalsecurity to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common uniformly randomstring suffices. Our key technical contribution is a simple abstraction that we call a dual-modecryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call "messy" public keys, whose defining property is that a ciphertext encrypted under such a key carries no information(statistically) about the encrypted message. As a contribution of independent interest, we also provide a multi-bit amortizedversion of Regev's lattice-based cryptosystem (STOC 2005) whose time and space complexity are improved by a linear factor in the security parameter n. The resulting amortized encryption and decryption times are only $\tilde{O}(n)$ bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.

Bounded Ciphertext Policy Attribute Based Encryption

Abstract: In a ciphertext policy attribute based encryption system, a user's private key is associated with a set of attributes (describing the user) and an encrypted ciphertext will specify an access policy over attributes A user will be able to decrypt if and only if his attributes satisfy the ciphertext's policy In this work, we present the first construction of a ciphertext-policy attribute based encryption scheme having a security proof based on a number theoretic assumption and supporting advanced access structures Previous CP-ABE systems could either support only very limited access structures or had a proof of security only in the generic group model Our construction can support access structures which can be represented by a bounded size access tree with threshold gates as its nodes The bound on the size of the access trees is chosen at the time of the system setup Our security proof is based on the standard Decisional Bilinear Diffie-Hellman assumption

Secure data deduplication

Abstract: As the world moves to digital storage for archival purposes, there is an increasing demand for systems that can provide secure data storage in a cost-effective manner. By identifying common chunks of data both within and between files and storing them only once, deduplication can yield cost savings by increasing the utility of a given amount of storage. Unfortunately, deduplication exploits identical content, while encryption attempts to make all content appear random; the same content encrypted with two different keys results in very different ciphertext. Thus, combining the space efficiency of deduplication with the secrecy aspects of encryption is problematic.We have developed a solution that provides both data security and space efficiency in single-server storage and distributed storage systems. Encryption keys are generated in a consistent manner from the chunk data; thus, identical chunks will always encrypt to the same ciphertext. Furthermore, the keys cannot be deduced from the encrypted chunk data. Since the information each user needs to access and decrypt the chunks that make up a file is encrypted using a key known only to the user, even a full compromise of the system cannot reveal which chunks are used by which users.

A novel algorithm for image encryption based on mixture of chaotic maps

Abstract: Chaos-based encryption appeared recently in the early 1990s as an original application of nonlinear dynamics in the chaotic regime. In this paper, an implementation of digital image encryption scheme based on the mixture of chaotic systems is reported. The chaotic cryptography technique used in this paper is a symmetric key cryptography. In this algorithm, a typical coupled map was mixed with a one-dimensional chaotic map and used for high degree security image encryption while its speed is acceptable. The proposed algorithm is described in detail, along with its security analysis and implementation. The experimental results based on mixture of chaotic maps approves the effectiveness of the proposed method and the implementation of the algorithm. This mixture application of chaotic maps shows advantages of large key space and high-level security. The ciphertext generated by this method is the same size as the plaintext and is suitable for practical use in the secure transmission of confidential information over the Internet.

Attribute-based encryption with partially hidden encryptor-specified access structures

Abstract: We propose attribute-based encryption schemes where encryptor-specified access structures (also called ciphertext policies) are hidden By using our schemes, an encryptor can encrypt data with a hidden access structure A decryptor obtains her secret key associated with her attributes from a trusted authority in advance and if the attributes associated with the decryptor's secret key do not satisfy the access structure associated with the encrypted data, the decryptor cannot decrypt the data or guess even what access structure was specified by the encryptor We prove security of our construction based on the Decisional Bilinear Diffie-Hellman assumption and the Decision Linear assumption In our security notion, even the legitimate decryptor cannot obtain the information about the access structure associated with the encrypted data more than the fact that she can decrypt the data

A general quantitative cryptanalysis of permutation-only multimedia ciphers against plaintext attacks

Abstract: In recent years secret permutations have been widely used for protecting different types of multimedia data, including speech files, digital images and videos. Based on a general model of permutation-only multimedia ciphers, this paper performs a quantitative cryptanalysis on the performance of these kind of ciphers against plaintext attacks. When the plaintext is of size MxN and with L different levels of values, the following quantitative cryptanalytic findings have been concluded under the assumption of a uniform distribution of each element in the plaintext: (1) all permutation-only multimedia ciphers are practically insecure against known/chosen-plaintext attacks in the sense that only O(log"L(MN)) known/chosen plaintexts are sufficient to recover not less than (in an average sense) half elements of the plaintext; (2) the computational complexity of the known/chosen-plaintext attack is only O(n.(MN)^2), where n is the number of known/chosen plaintexts used. When the plaintext has a non-uniform distribution, the number of required plaintexts and the computational complexity is also discussed. Experiments are given to demonstrate the real performance of the known-plaintext attack for a typical permutation-only image cipher.

Unidirectional chosen-ciphertext secure proxy re-encryption

Abstract: In 1998, Blaze, Bleumer, and Strauss proposed a cryptographic primitive called proxy re-encryption, in which a proxy transforms - without seeing the corresponding plaintext - a ciphertext computed under Alice's public key into one that can be opened using Bob's secret key. Recently, an appropriate definition of chosen-ciphertext security and a construction fitting this model were put forth by Canetti and Hohenberger. Their system is bidirectional: the information released to divert ciphertexts from Alice to Bob can also be used to translate ciphertexts in the opposite direction. In this paper, we present the first construction of unidirectional proxy re-encryption scheme with chosen-ciphertext security in the standard model (i.e. without relying on the random oracle idealization), which solves a problem left open at CCS'07. Our construction is efficient and requires a reasonable complexity assumption in bilinear map groups. Like the Canetti-Hohenberger scheme, it ensures security according to a relaxed definition of chosen-ciphertext introduced by Canetti, Krawczyk and Nielsen.

Chosen-Ciphertext Secure Proxy Re-encryption without Pairings

Abstract: In a proxy re-encryption system, a semi-trusted proxy can convert a ciphertext originally intended for Alice into a ciphertext intended for Bob, without learning the underlying plaintext. Proxy re-encryption has found many practical applications, such as encrypted email forwarding, secure distributed file systems, and outsourced filtering of encrypted spam. In ACM CCS'07, Canetti and Hohenberger presented a proxy re-encryption scheme with chosen-ciphertext security, and left an important open problem to construct a chosen-ciphertext secure proxy re-encryption scheme without pairings. In this paper, we solve this open problem by proposing a new proxy re-encryption scheme without resort to bilinear pairings. Based on the computational Diffie-Hellman (CDH) problem, the chosen-ciphertext security of the proposed scheme is proved in the random oracle model.

Secure Threshold Multi Authority Attribute Based Encryption without a Central Authority

Abstract: An attribute based encryption scheme (ABE) is a cryptographic primitive in which every user is identified by a set of attributes, and some function of these attributes is used to determine the ability to decrypt each ciphertext. Chase proposed the first multi authority ABE scheme in TCC 2007 as an answer to an open problem presented by Sahai and Waters in EUROCRYPT 2005. However, her scheme needs a fully trusted central authority which can decrypt every ciphertext in the system. This central authority would endanger the whole system if it's corrupted. This paper presents a threshold multi authority fuzzy identity based encryption(MA-FIBE) scheme without a central authority for the first time. An encrypter can encrypt a message such that a user could only decrypt if he has at least d k of the given attributes about the message for at least t + 1, t ≤ n /2 honest authorities of all the n attribute authorities in the proposed scheme. The security proof is based on the secrecy of the underlying joint random secret sharing protocol and joint zero secret sharing protocol and the standard decisional bilinear Diffie-Hellman assumption. The proposed MA-FIBE could be extended to the threshold multi authority attribute based encryption (MA-ABE) scheme and be further extended to a proactive MA-ABE scheme.

Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication

Abstract: In this paper we present a very practical ciphertext-only cryptanalysis of GSM (Global System for Mobile communications) encrypted communication, and various active attacks on the GSM protocols. These attacks can even break into GSM networks that use “unbreakable” ciphers. We first describe a ciphertext-only attack on A5/2 that requires a few dozen milliseconds of encrypted off-the-air cellular conversation and finds the correct key in less than a second on a personal computer. We extend this attack to a (more complex) ciphertext-only attack on A5/1. We then describe new (active) attacks on the protocols of networks that use A5/1, A5/3, or even GPRS (General Packet Radio Service). These attacks exploit flaws in the GSM protocols, and they work whenever the mobile phone supports a weak cipher such as A5/2. We emphasize that these attacks are on the protocols, and are thus applicable whenever the cellular phone supports a weak cipher, for example, they are also applicable for attacking A5/3 networks using the cryptanalysis of A5/1. Unlike previous attacks on GSM that require unrealistic information, like long known-plaintext periods, our attacks are very practical and do not require any knowledge of the content of the conversation. Furthermore, we describe how to fortify the attacks to withstand reception errors. As a result, our attacks allow attackers to tap conversations and decrypt them either in real-time, or at any later time. We present several attack scenarios such as call hijacking, altering of data messages and call theft.

Traitor tracing with constant size ciphertext

Abstract: A traitor tracing system enables a publisher to trace a pirate decryption box to one of the secret keys used to create the box We present a traitor tracing system where ciphertext size is "constant," namely independent of the number of users in the system and the collusion bound A ciphertext in our system consists of only two elements where the length of each element depends only on the security parameter The down side is that private-key size is quadratic in the collusion bound Our construction is based on recent constructions for fingerprinting codes

Type-Based Proxy Re-encryption and Its Construction

Abstract: Recently, the concept of proxy re-encryption has been shown very useful in a number of applications, especially in enforcing access control policies. In existing proxy re-encryption schemes, the delegatee can decrypt all ciphertexts for the delegator after re-encryption by the proxy. Consequently, in order to implement fine-grained access control policies, the delegator needs to either use multiple key pairs or trust the proxy to behave honestly. In this paper, we extend this concept and propose type-based proxy re-encryption, which enables the delegator to selectively delegate his decryption right to the delegatee while only needs one key pair. As a result, type-based proxy re-encryption enables the delegator to implement fine-grained policies with one key pair without any additional trust on the proxy. We provide a security model for our concept and provide formal definitions for semantic security and ciphertext privacy which is a valuable attribute in privacy-sensitive contexts. We propose two type-based proxy re-encryption schemes: one is CPA secure with ciphertext privacy while the other is CCA secure without ciphertext privacy.

Dynamic Threshold Public-Key Encryption

Abstract: This paper deals with threshold public-key encryptionwhich allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamicallyjoin the system, as a possible recipient; the sender can dynamicallychoose the authorized set of recipients, for each ciphertext; and the sender can dynamicallyset the threshold tfor decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a.threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts.

Bug Attacks

Abstract: In this paper we present a new kind of cryptanalytic attack which utilizes bugs in the hardware implementation of computer instructions. The best known example of such a bug is the Intel division bug, which resulted in slightly inaccurate results for extremely rare inputs. Whereas in most applications such bugs can be viewed as a minor nuisance, we show that in the case of RSA (even when protected by OAEP), Pohlig-Hellman, elliptic curve cryptography, and several other schemes, such bugs can be a security disaster: Decrypting ciphertexts on anycomputer which multiplies even one pair of numbersincorrectly can lead to full leakage of the secret key, sometimes with a single well-chosen ciphertext.

Efficient Chosen Ciphertext Secure Public Key Encryption under the Computational Diffie-Hellman Assumption

Abstract: Recently Cash, Kiltz, and Shoup [13] showed a variant of the Cramer-Shoup (CS) scheme [14] whose chosen-ciphertext (CCA) security relies on the computational Diffie-Hellman (CDH) assumption. The cost for this high security is that the size of ciphertexts is much longer than the CS scheme (which is based on the decisional Diffie-Hellman assumption). In this paper, we show how to achieve CCA-security under the CDH assumption without increasing the size of ciphertexts. We also show a more efficient scheme under the hashed Diffie-Hellman assumption. Both of our schemes are based on a certain broadcast encryption (BE) scheme while the Cash-Kiltz-Shoup scheme is based on the Twin DH problem. Of independent interest, we also show a generic method of constructing CCA-secure PKE schemes from BE schemes.

Sensor Data Cryptography in Wireless Sensor Networks

Abstract: We consider decentralized estimation of a noise-corrupted deterministic signal in a bandwidth-constrained sensor network communicating through an insecure medium. Each sensor collects a noise-corrupted version, performs a local quantization, and transmits a 1-bit message to an ally fusion center through a wireless medium where the sensor outputs are vulnerable to unauthorized observation from enemy/third-party fusion centers. In this paper, we introduce an encrypted wireless sensor network (eWSN) concept where stochastic enciphers operating on binary sensor outputs are introduced to disguise the sensor outputs, creating an eWSN scheme. Noting that the plaintext (original) and ciphertext (disguised) messages are constrained to a single bit due to bandwidth constraints, we consider a binary channel-like scheme to probabilistically encipher (i.e., flip) the sensor outputs. We first consider a symmetric key encryption case where the "0" and "1" enciphering probabilities are equal. The key is represented by the bit enciphering probability. Specifically, we derive the optimal estimator of the deterministic signal approached from a maximum-likelihood perspective and the Cramer-Rao lower bound for the estimation problem utilizing the key. Furthermore, we analyze the effect of the considered cryptosystem on enemy fusion centers that are unaware of the fact that the WSN is encrypted (i.e., we derive the bias, variance, and mean square error (MSE) of the enemy fusion center). We then extend the cryptosystem to admit unequal enciphering schemes for "0" and "1", and analyze the estimation problem from both the prospectives of ally (that has access to the enciphering keys) and (third-party) enemy fusion centers. The results show that when designed properly, a significant amount of bias and MSE can be introduced to an enemy fusion center with the cost to the ally fusion center being a marginal increase [factor of (1-Omega1-Omega0 )-2, where 1-Omegaj, j=0, 1 is the "j" enciphering probability in the estimation variance (compared to the variance of a fusion center estimate operating in a vulnerable WSN).

Attribute-based content distribution with hidden policy

Abstract: Access control in content distribution networks (CDNs) is a long-standing problem and has attracted extensive research. Traditional centralized access control approaches, such as reference monitor based approach, do not suit for CDNs as such networks are of large scale and geographically distributed in nature. Current CDNs usually resort to cryptographic-based distributed approaches for better fulfilling the goal of access control. Hence, it is highly critical to design and adapt appropriate cryptographic primitives for such purpose. In this paper, we propose a novel distributed access control approach for CDNs by exploiting a new cryptographic primitive called Ciphertext Policy Attributed-Based Encryption (CP-ABE). Our approach provides flexible yet fine-grained access control (per file level) so that the contents are available only to the authorized users. We further consider the protection of user privacy and enhance the current design of CP-ABE so that not only the cAccess control in content distribution networks (CDNs) is a long-standing problem and has attracted extensive research. Traditional centralized access control approaches, such as reference monitor based approach, do not suit for CDNs as such networks are of large scale and geographically distributed in nature. Current CDNs usually resort to cryptographic-based distributed approaches for better fulfilling the goal of access control. Hence, it is highly critical to design and adapt appropriate cryptographic primitives for such purpose. In this paper, we propose a novel distributed access control approach for CDNs by exploiting a new cryptographic primitive called ciphertext policy attributed-based encryption (CP-ABE). Our approach provides flexible yet fine-grained access control (per file level) so that the contents are available only to the authorized users. We further consider the protection of user privacy and enhance the current design of CP-ABE so that not only the contents themselves but also the access policies, which could lead to the revelation of sensitive user information, are well protected.ontents themselves but also the access policies, which could lead to the revelation of sensitive user information, are well protected.

How to Encrypt with the LPN Problem

Abstract: We present a probabilistic private-key encryption scheme named LPN-C whose security can be reduced to the hardness of the Learning from Parity with Noise (LPN) problem. The proposed protocol involves only basic operations in GF(2) and an error-correcting code. We show that it achieves indistinguishability under adaptive chosen plaintext attacks (IND-P2-C0). Appending a secure MAC renders the scheme secure under adaptive chosen ciphertext attacks. This scheme enriches the range of available cryptographic primitives whose security relies on the hardness of the LPN problem.

On the Impossibility of Basing Identity Based Encryption on Trapdoor Permutations

Abstract: We ask whether an identity based encryption (IBE) system can be built from simpler public-key primitives. We show that there is no black-box construction of IBE from trapdoor permutations (TDP) or even from chosen ciphertext secure public key encryption (CCA-PKE). These black-box separation results are based on an essential property of IBE, namely that an IBE system is able to compress exponentially many public-keys into a short public parameters string.

Stream cipher using multiplication over a finite field of even characteristic

Abstract: An input block of data and a key that includes multiple sub-keys are received by a block cipher. A nonlinear substitution is performed on at least a portion of the data, wherein the nonlinear substitution is achieved by multiplying the portion of the data by one of the sub-keys over a finite field of even characteristic, modulo a fixed primitive polynomial. An output block of ciphertext is then generated.

Black-box construction of a non-malleable encryption scheme from any semantically secure one

Abstract: We show how to transform any semantically secure encryption scheme into a non-malleable one, with a black-box construction that achieves a quasi-linear blow-up in the size of the ciphertext. This improves upon the previous non-black-box construction of Pass, Shelat and Vaikuntanathan (Crypto '06). Our construction also extends readily to guarantee non-malleability under a bounded-CCA2 attack, thereby simultaneously improving on both results in the work of Cramer et al. (Asiacrypt '07). Our construction departs from the oft-used paradigm of re-encrypting the same message with different keys and then proving consistency of encryptions; instead, we encrypt an encoding of the message with certain locally testable and self-correcting properties. We exploit the fact that low-degree polynomials are simultaneously good error-correcting codes and a secret-sharing scheme.

Fuzzy Identity Based Signature.

Abstract: We introduce a new cryptographic primitive which is the signature analogue of fuzzy identity based encryption(IBE). We call it fuzzy identity based signature(IBS). It possesses similar error-tolerance property as fuzzy IBE that allows a user with the private key for identity ! to decrypt a ciphertext encrypted for identity ! 0 if and only if ! and ! 0 are within a certain distance judged by some metric. A fuzzy IBS is useful whenever we need to allow the user to issue signature on behalf of the group that has certain attributes. Fuzzy IBS can also be applied to biometric identity based signature. To our best knowledge, this primitive was never considered in the identity based signature before. We give the definition and security model of the new primitive and present the first practical implementation based on Sahai-Waters construction[6] and the two level hierarchical signature of Boyen and Waters[9]. We prove that our scheme is existentially unforgeable against adaptively chosen message attack without random oracles.

Public Key Broadcast Encryption Schemes With Shorter Transmissions

Abstract: Broadcast encryption allows a sender to securely distribute messages to a dynamically changing set of users over an insecure channel. In a public key broadcast encryption (PKBE) scheme, this encryption is performed in the public key setting, where the public key is stored in a user's device, or directly transmitted to the receivers along with ciphertexts. In this paper, we propose two PKBE schemes for stateless receivers which are transmission-efficient. A distinctive feature in our first construction is that, different than existing schemes in the literature, only a fraction of the public key related to the set of intended receivers is required in the decryption process. This feature results in the first PKBE scheme with O(r) transmission cost and O(1) user storage cost for r revoked users. Our second construction is a generalized version of the first one providing a tradeoff between ciphertext size and public key size. With appropriate parametrization, we obtain a PKBE scheme with (Oradicn) transmission cost and O(1) user storage cost for any large set of n users. The transmission cost of our second scheme is at least 30\% less than that of the recent result of Boneh et al.'s PKBE scheme, which is considered as being the current state-of-the-art. By combining the two proposed schemes, we suggest a PKBE scheme that achieves further shortened transmissions, while still maintaining O(1) user storage cost. The proposed schemes are secure against any number of colluders and do not require costly re-keying procedures followed by revocation of users.

Embedding Compression in Chaos-Based Cryptography

Abstract: An algorithm for embedding compression in the Baptista-type chaotic cryptosystem is proposed. The lookup table used for encryption is determined adaptively by the probability of occurrence of plaintext symbols. As a result, more probable symbols will have a higher chance to be visited by the chaotic search trajectory. The required number of iterations is small and can be represented by a short code. The compression capability is thus achieved. Simulation results show that the compression performance on standard test files is satisfactory while the security is not compromised. Our scheme also guarantees that the ciphertext is not longer than the plaintext.

A New Data Encryption Algorithm Based on the Location of Mobile Users

Abstract: The wide spread of WLAN and the popularity of mobile devices increases the frequency of data transmission among mobile users. However, most of the data encryption technology is location-independent. An encrypted data can be decrypted anywhere. The encryption technology cannot restrict the location of data decryption. In order to meet the demand of mobile users in the future, a location-dependent approach, called location-dependent data encryption algorithm (LDEA), is proposed in this paper. A target latitude/longitude coordinate is determined firstly. The coordinate is incorporated with a random key for data encryption. The receiver can only decrypt the ciphertext when the coordinate acquired from GPS receiver is matched with the target coordinate. However, current GPS receiver is inaccuracy and inconsistent. The location of a mobile user is difficult to exactly match with the target coordinate. A toleration distance (TD) is also designed in LDEA to increase its practicality. The security analysis shows that the probability to break LDEA is almost impossible since the length of the random key is adjustable. A prototype is also implemented for experimental study. The results show that the ciphertext can only be decrypted under the restriction of TD. It illustrates that LDEA is effective and practical for data transmission in mobile environment.

Attribute-based on-demand multicast group setup with membership anonymity

Abstract: In many applications, it is desired to dynamically establish temporary multicast groups for secure message delivery. It is also often the case that the group membership information itself is sensitive and needs to be well protected. However, existing solutions either fail to address the issue of membership anonymity or do not scale well for dynamically established groups. In this paper, we propose a highly scalable solution for dynamical multicast group setup and yet protecting group membership anonymity simultaneously. In the proposed solution, scalability and membership anonymity are achieved via a novel design that integrates both ciphertextpolicy attribute-based encryption (CP-ABE) and centralized flat table (CFT) techniques. In our design, multicast groups are specified through group member attributes represented through binary member ID only and thus achieves scalability. Also, high level of membership anonymity is guaranteed such that every group member knows nothing but his own group membership only. The proposed solution is also efficient in communication, that is, the ciphertext size is only O(n), where n is the length of a group member ID and independent to the group size.