Showing papers on "Ciphertext published in 2009"

Improving privacy and security in multi-authority attribute-based encryption

Abstract: Attribute based encryption (ABE) [13] determines decryption ability based on a user's attributes. In a multi-authority ABE scheme, multiple attribute-authorities monitor different sets of attributes and issue corresponding decryption keys to users, and encryptors can require that a user obtain keys for appropriate attributes from each authority before decrypting a message. Chase [5] gave a multi-authority ABE scheme using the concepts of a trusted central authority (CA) and global identifiers (GID). However, the CA in that construction has the power to decrypt every ciphertext, which seems somehow contradictory to the original goal of distributing control over many potentially untrusted authorities. Moreover, in that construction, the use of a consistent GID allowed the authorities to combine their information to build a full profile with all of a user's attributes, which unnecessarily compromises the privacy of the user. In this paper, we propose a solution which removes the trusted central authority, and protects the users' privacy by preventing the authorities from pooling their information on particular users, thus making ABE more usable in practice.

Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions.

Abstract: We present a new methodology for proving security of encryption systems using what we call Dual System Encryption. Our techniques result in fully secure Identity-Based Encryption (IBE) and Hierarchical Identity-Based Encryption (HIBE) systems under the simple and established decisional Bilinear Diffie-Hellman and decisional Linear assumptions. Our IBE system has ciphertexts, private keys, and public parameters each consisting of a constant number of group elements. These results are the first HIBE system and the first IBE system with short parameters under simple assumptions. In a Dual System Encryption system both ciphertexts and private keys can take on one of two indistinguishable forms. A private key or ciphertext will be normal if they are generated respectively from the system’s key generation or encryption algorithm. These keys and ciphertexts will behave as one expects in an IBE system. In addition, we define semi-functional keys and ciphertexts. A semi-functional private key will be able to decrypt all normally generated ciphertexts; however, decryption will fail if one attempts to decrypt a semi-functional ciphertext with a semi-functional private key. Analogously, semi-functional ciphertexts will be decryptable only by normal private keys. Dual System Encryption opens up a new way to prove security of IBE and related encryption systems. We define a sequence of games where we change first the challenge ciphertext and then the private keys one by one to be semi-functional. We finally end up in a game where the challenge ciphertext and all private keys are semi-functional at which point proving security is straightforward. ∗Supported by NSF CNS-0716199, Air Force Office of Scientific Research (AFOSR) under the MURI award for “Collaborative policies and assured information sharing” (Project PRESIDIO) and the U.S. Department of Homeland Security under Grant Award Number 2006-CS-001-000001.

Leakage-Resilient Public-Key Cryptography in the Bounded-Retrieval Model

Abstract: We study the design of cryptographic primitives resilient to key-leakage attacks, where an attacker can repeatedly and adaptively learn information about the secret key, subject only to the constraint that the overall amount of such information is bounded by some parameter ?. We construct a variety of leakage-resilient public-key systems including the first known identification schemes (ID), signature schemes and authenticated key agreement protocols (AKA). Our main result is an efficient three-round AKA in the Random-Oracle Model, which is resilient to key-leakage attacks that can occur prior-to and after a protocol execution. Our AKA protocol can be used as an interactive encryption scheme with qualitatively stronger privacy guarantees than non-interactive encryption schemes (constructed in prior and concurrent works), which are inherently insecure if the adversary can perform leakage attacks after seing a ciphertext. Moreover, our schemes can be flexibly extended to the Bounded-Retrieval Model, allowing us to tolerate very large absolute amount of adversarial leakage ? (potentially many gigabytes of information), only by increasing the size of the secret key and without any other loss of efficiency in communication or computation. Concretely, given any leakage parameter ?, security parameter ?, and any desired fraction 0 < ? ≤ 1, our schemes have the following properties: Secret key size is ?(1 + ?) + O(?). Public key size is O(?), and independent of ?. Communication complexity is O(?/?), and independent of ?. Computation reads O(?/? 2) locations of the secret key, independent of ?. Lastly, we show that our schemes allow for repeated "invisible updates" of the secret key, allowing us to tolerate up to ? bits of leakage in between any two updates, and an unlimited amount of leakage overall. These updates require that the parties can securely store a short "master update key" (e.g. on a separate secure device protected against leakage), which is only used for updates and not during protocol execution. The updates are invisible in the sense that a party can update its secret key at any point in time, without modifying the public key or notifying the other users.

Efficient and provably secure aggregation of encrypted data in wireless sensor networks

Abstract: Wireless sensor networks (WSNs) are composed of tiny devices with limited computation and battery capacities. For such resource-constrained devices, data transmission is a very energy-consuming operation. To maximize WSN lifetime, it is essential to minimize the number of bits sent and received by each device. One natural approach is to aggregate sensor data along the path from sensors to the sink. Aggregation is especially challenging if end-to-end privacy between sensors and the sink (or aggregate integrity) is required. In this article, we propose a simple and provably secure encryption scheme that allows efficient additive aggregation of encrypted data. Only one modular addition is necessary for ciphertext aggregation. The security of the scheme is based on the indistinguishability property of a pseudorandom function (PRF), a standard cryptographic primitive. We show that aggregation based on this scheme can be used to efficiently compute statistical values, such as mean, variance, and standard deviation of sensed data, while achieving significant bandwidth savings. To protect the integrity of the aggregated data, we construct an end-to-end aggregate authentication scheme that is secure against outsider-only attacks, also based on the indistinguishability property of PRFs.

Conjunctive Broadcast and Attribute-Based Encryption

Abstract: Attribute-based encryption (ABE) system enables an access control mechanism over encrypted data by specifying access policies among private keys and ciphertexts. There are two flavors of ABE, namely key-policy and ciphertext-policy, depending on which of private keys or ciphertexts that access policies are associated with. In this paper we propose a new cryptosystem called Broadcast ABE for both flavors. Broadcast ABE can be used to construct ABE systems with direct revocation mechanism. Direct revocation has a useful property that revocation can be done without affecting any non-revoked users; in particular, it does not require users to update keys periodically. For key-policy variant, our systems appear to be the first fully-functional directly revocable schemes. For ciphertext-policy variant, our systems improve the efficiency from the previously best revocable schemes; in particular, one of our schemes admits ciphertext and private key sizes roughly the same as the currently best (non-revocable) ciphertext-policy ABE. Broadcast ABE can also be utilized to construct multi-authority ABE in the disjunctive setting.

Attribute based proxy re-encryption with delegating capabilities

Abstract: Attribute based proxy re-encryption scheme (ABPRE) is a new cryptographic primitive which extends the traditional proxy re-encryption (public key or identity based cryptosystem) to the attribute based counterpart, and thus empower users with delegating capability in the access control environment. Users, identified by attributes, could freely designate a proxy who can re-encrypt a ciphertext related with a certain access policy to another one with a different access policy. The proposed scheme is proved selective-structure chosen plaintext secure and master key secure without random oracles. Besides, we develop another kind of key delegating capability in our scheme and also discuss some related issues including a stronger security model and applications.

A Ciphertext-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length

Abstract: An Attribute-Based Encryption (ABE) is an encryption scheme, where users with some attributes can decrypt ciphertexts associated with these attributes. However, the length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. Moreover, the number of pairing computations is also constant.

The Coefficients H Technique

Abstract: The "coefficient H technique" is a tool introduced in 1991 and used to prove various pseudo-random properties from the distribution of the number of keys that sends cleartext on some ciphertext. It can also be used to find attacks on cryptographic designs. We can like this unify a lot of various pseudo-random results obtained by different authors. In this paper we will present this technique and we will give some examples of results obtained.

CCA-Secure Proxy Re-encryption without Pairings

Abstract: In a proxy re-encryption scheme, a semi-trusted proxy can transform a ciphertext under Alice's public key into another ciphertext that Bob can decrypt. However, the proxy cannot access the plaintext. Due to its transformation property, proxy re-encryption can be used in many applications, such as encrypted email forwarding. In this paper, by using signature of knowledge and Fijisaki-Okamoto conversion, we propose a proxy re-encryption scheme without pairings, in which the proxy can only transform the ciphertext in one direction. The proposal is secure against chosen ciphertext attack (CCA) and collusion attack in the random oracle model based on Decisional Diffie-Hellman (DDH) assumption over $\mathbb{Z}_{N^2}^*$ and integer factorization assumption, respectively. To the best of our knowledge, it is the first unidirectional PRE scheme with CCA security and collusion-resistance.

Format-Preserving Encryption

Abstract: Format-preserving encryption (FPE) encrypts a plaintext of some specified format into a ciphertext of identical format--for example, encrypting a valid credit-card number into a valid credit-card number. The problem has been known for some time, but it has lacked a fully general and rigorous treatment. We provide one, starting off by formally defining FPE and security goals for it. We investigate the natural approach for achieving FPE on complex domains, the "rank-then-encipher" approach, and explore what it can and cannot do. We describe two flavors of unbalanced Feistel networks that can be used for achieving FPE, and we prove new security results for each. We revisit the cycle-walking approach for enciphering on a non-sparse subset of an encipherable domain, showing that the timing information that may be divulged by cycle walking is not a damaging thing to leak.

Logistic chaotic maps for binary numbers generations

Abstract: Two pseudorandom binary sequence generators, based on logistic chaotic maps intended for stream cipher applications, are proposed. The first is based on a single one-dimensional logistic map which exhibits random, noise-like properties at given certain parameter values, and the second is based on a combination of two logistic maps. The encryption step proposed in both algorithms consists of a simple bitwise XOR operation of the plaintext binary sequence with the keystream binary sequence to produce the ciphertext binary sequence. A threshold function is applied to convert the floating-point iterates into binary form. Experimental results show that the produced sequences possess high linear complexity and very good statistical properties. The systems are put forward for security evaluation by the cryptographic committees.

Key-Private Proxy Re-encryption

Abstract: Proxy re-encryption (PRE) allows a proxy to convert a ciphertext encrypted under one key into an encryption of the same message under another key. The main idea is to place as little trust and reveal as little information to the proxy as necessary to allow it to perform its translations. At the very least, the proxy should not be able to learn the keys of the participants or the content of the messages it re-encrypts. However, in all prior PRE schemes, it is easy for the proxy to determine between which participants a re-encryption key can transform ciphertexts. This can be a problem in practice. For example, in a secure distributed file system, content owners may want to use the proxy to help re-encrypt sensitive information without revealing to the proxy the identity of the recipients. In this work, we propose key-private (or anonymous) re-encryption keys as an additional useful property of PRE schemes. We formulate a definition of what it means for a PRE scheme to be secure and key-private. Surprisingly, we show that this property is not captured by prior definitions or achieved by prior schemes, including even the secure obfuscation of PRE by Hohenberger et al. (TCC 2007). Finally, we propose the first key-private PRE construction and prove its CPA-security under a simple extension of Decisional Bilinear Diffie Hellman assumption and its key-privacy under the Decision Linear assumption in the standard model.

Privacy-Aware Attribute-Based Encryption with User Accountability

Abstract: As a new public key primitive, attribute-based encryption (ABE) is envisioned to be a promising tool for implementing fine-grained access control. To further address the concern of user access privacy, privacy-aware ABE schemes are being developed to achieve hidden access policy recently. For the purpose of secure access control, there is, however, still one critical functionality missing in the existing ABE schemes, which is user accountability. Currently, no ABE scheme can completely prevent the problem of illegal key sharing among users. In this paper, we tackle this problem by firstly proposing the notion of accountable, anonymous, and ciphertext-policy ABE (CP-A3BE, in short) and then giving out a concrete construction. We start by improving the state-of-the-art of anonymous CP-ABE to obtain shorter public parameters and ciphertext length. In the proposed CP-A3BE construction, user accountability can be achieved in black-box model by embedding additional user-specific information into the attribute private key issued to that user, while still maintaining hidden access policy. The proposed constructions are provably secure.

Conditional proxy re-encryption secure against chosen-ciphertext attack

Abstract: In a proxy re-encryption (PRE) system [4], a proxy, authorized by Alice, can convert a ciphertext for Alice into a ciphertext for Bob without seeing the underlying plaintext. PRE has found many practical applications requiring delegation. However, it is inadequate to handle scenarios where a fine-grained delegation is demanded. To overcome the limitation of existing PRE systems, we introduce the notion of conditional proxy re-encryption (C-PRE), whereby only ci-phertext satisfying a specific condition set by Alice can be transformed by the proxy and then decrypted by Bob. We formalize its security model and propose an efficient C-PRE scheme, whose chosen-ciphertext security is proven under the 3-quotient bilinear Diffie-Hellman assumption. We further extend the construction to allow multiple conditions with a slightly higher overhead.

An Improved Fault Based Attack of the Advanced Encryption Standard

Abstract: In the present paper a new fault based attack has been proposed against AES-Rijndael. The paper shows that inducing a single random byte fault at the input of the eighth round of the AES algorithm the block cipher key can be deduced. Simulations show that when two faulty ciphertext pairs are generated, the key can be exactly deduced without any brute-force search. Further results show that with one single faulty ciphertext pair, the AES key can be ascertained with a brute-force search of 232.

Mediated Ciphertext-Policy Attribute-Based Encryption and its Application (extended version)

Abstract: In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the access policy specified in the ciphertext. Several CP-ABE schemes have been proposed, however, some practical problems, such as attribute revocation, still needs to be addressed. In this paper, we propose a mediated Ciphertext-Policy Attribute-Based Encryption (mCP-ABE) which extends CP-ABE with instantaneous attribute revocation. Furthermore, we demonstrate how to apply the proposed mCP-ABE scheme to securely manage Personal Health Records (PHRs).

Mediated Ciphertext-Policy Attribute-Based Encryption and Its Application

Abstract: In Ciphertext-Policy Attribute-Based Encryption (CP-ABE), a user secret key is associated with a set of attributes, and the ciphertext is associated with an access policy over attributes. The user can decrypt the ciphertext if and only if the attribute set of his secret key satisfies the access policy specified in the ciphertext. Several CP-ABE schemes have been proposed, however, some practical problems, such as attribute revocation, still needs to be addressed. In this paper, we propose a mediated Ciphertext-Policy Attribute-Based Encryption (mCP-ABE) which extends CP-ABE with instantaneous attribute revocation. Furthermore, we demonstrate how to apply the proposed mCP-ABE scheme to securely manage Personal Health Records (PHRs).

Removing Escrow from Identity-Based Encryption

Abstract: Key escrow is inherent in identity-based encryption (IBE). A curious key generation center (KGC) can simply generate the user's private key to decrypt a ciphertext. However, can a KGC still decrypt if it does not know the intended recipient of the ciphertext? We answer by formalizing KGC anonymous ciphertext indistinguishability ($\mathcal{ACI-KGC}$). We find that all existing pairing-based IBE schemes without random oracles, whether receipt-anonymous or not, do not achieve KGC one-wayness, a weaker notion of $\mathcal{ACI-KGC}$. In view of this, we first show how to equip an IBE scheme by Gentry with $\mathcal{ACI-KGC}$. Second, we propose a new system architecture with an anonymous private key generation protocol such that the KGC can issue a private key to an authenticated user without knowing the list of users identities. This also better matches the practice that authentication should be done with the local registration authorities instead of the KGC. Our proposal can be viewed as mitigating the key escrow problem in a different dimension than distributed KGCs approach.

A Ciphertext-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length

Abstract: An Attribute-Based Encryption (ABE) is an encryption scheme, where users with some attributes can decrypt ciphertexts associated with these attributes. However, the length of the ciphertext depends on the number of attributes in previous ABE schemes. In this paper, we propose a new Ciphertext-Policy Attribute-Based Encryption (CP-ABE) with constant ciphertext length. Moreover, the number of pairing computations is also constant.

Attribute-sets: a practically motivated enhancement to attribute-based encryption

Abstract: In distributed systems users need to share sensitive objects with others based on the recipients' ability to satisfy a policy. Attribute-Based Encryption (ABE) is a new paradigm where such policies are specified and cryptographically enforced in the encryption algorithm itself. Ciphertext-Policy ABE (CP-ABE) is a form of ABE where policies are associated with encrypted data and attributes are associated with keys. In this work we focus on improving the flexibility of representing user attributes in keys. Specifically, we propose Ciphertext Policy Attribute Set Based Encryption (CP-ASBE) - a new form of CP-ABE - which, unlike existing CP-ABE schemes that represent user attributes as a monolithic set in keys, organizes user attributes into a recursive set based structure and allows users to impose dynamic constraints on how those attributes may be combined to satisfy a policy. We show that the proposed scheme is more versatile and supports many practical scenarios more naturally and efficiently. We provide a prototype implementation of our scheme and evaluate its performance overhead.

Plaintext Recovery Attacks against SSH

Abstract: This paper presents a variety of plaintext-recovering attacks against SSH. We implemented a proof of concept of our attacks against OpenSSH, where we can verifiably recover 14 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-14}$ and 32 bits of plaintext from an arbitrary block of ciphertext with probability $2^{-18}$. These attacks assume the default configuration of a 128-bit block cipher operating in CBC mode. The paper explains why a combination of flaws in the basic design of SSH leads implementations such as OpenSSH to be open to our attacks, why current provable security results for SSH do not cover our attacks, and how the attacks can be prevented in practice.

Provably secure and efficient bounded ciphertext policy attribute based encryption

Abstract: Ciphertext policy attribute based encryption (CPABE) allows a sender to distribute messages based on an access policy which can be expressed as a boolean function consisting of (OR, AND) gates between attributes. A receiver whose secret key is associated with those attributes could only decrypt a ciphertext successfully if and only if his attributes satisfy the ciphertext's access policy. Fine-grained access control, a new concept mentioned by GPSW in CCS'06 can realize a more delicate access policy which could be represented as an access tree with threshold gates connecting attributes.In ICALP'08, Goyal et al. design a bounded CPABE (denoted as GJPS) with fine-grained access policy which can be proven secure under a number-theoretic assumption. In this paper, we improve their scheme by providing faster encryption / decryption algorithm and shortened ciphertext size. Moreover, we use one-time signature technique to obtain a chosen ciphertext secure extension and give its complete security proof in the standard model under traditional Decisional Bilinear Diffie-Hellman (DBDH) assumption and strong existential unforgeability of one-time signature scheme.

Algebraic side-channel attacks

Abstract: In 2002, algebraic attacks using overdefined systems of equations have been proposed as a potentially very powerful cryptanalysis technique against block ciphers. However, although a number of convincing experiments have been performed against certain reduced algorithms, it is not clear whether these attacks can be successfully applied in general and to a large class of ciphers. In this paper, we show that algebraic techniques can be combined with side-channel attacks in a very effective and natural fashion. As an illustration, we apply them to the block cipher PRESENT that is a stimulating first target, due to its simple algebraic structure. The proposed attacks have a number of interesting features: (1) they exploit the information leakages of all the cipher rounds, (2) in common implementation contexts (e.g. assuming a Hamming weight leakage model), they recover the block cipher keys after the observation of a single encryption, (3) these attacks can succeed in an unknown-plaintext/ciphertext adversarial scenario and (4) they directly defeat countermeasures such as boolean masking. Eventually, we argue that algebraic side-channel attacks can take advantage of any kind of physical leakage, leading to a new tradeoff between the robustness and informativeness of the side-channel information extraction.

Efficient and Provable Secure Ciphertext-Policy Attribute-Based Encryption Schemes

Abstract: With a Ciphertext-Policy Attribute-Based Encryption (CP-ABE) scheme, a user's private key is associated with a set of attributes and the data is encrypted under an access policy defined by the message sender. A user can decrypt a ciphertext if and only if her attributes satisfy the access policy. In CP-ABE, since the message sender enforces the access policy during the encryption phase, the policy moves with the encrypted data. In this paper, we provide an efficient CP-ABE scheme which can express any access policy represented by a formula involving the and (***) and or (***) operators. The scheme is secure under Decision Bilinear Diffie-Hellman (DBDH) assumption. Furthermore, we extend the expressiveness of the scheme by including the of operator in addition to *** and ***. We provide a comparison with some existing CP-ABE schemes and show that our schemes are more efficient.

Secure AES engine with a local switched-capacitor current equalizer

Abstract: Hardware implementations of the popular AES encryption algorithm [1,2] provide attackers with important side-channel information (delay, power consumption or EM radiation) that can be used to disclose the secret key of the encryption device. Differential power analysis (DPA) [3–5] is one of the most common side-channel attacks because of its simplicity and effectiveness (Fig. 3.5.1). It performs a statistical analysis of supply-current measurements and either the plaintext or ciphertext to disclose the secret key. These two elements can be easily recorded externally without probing internal signals on the chip. Either the plaintext or ciphertext is used to build a model of the current consumption (e.g., during 0 to 1 transition) using knowledge of the AES algorithm and a key guess. By calculating the correlation between the model and the measured current for each possible key guess the key is discovered. In the AES algorithm, the key consists of 16 blocks of 8b, each of which can be attacked independently since AES is a block cipher. For the 128b secret key, the DPA search space is only 16×28, as opposed to 2128 for a brute-force attack.

Ciphertext Policy Attribute Based Encryption with Efficient Revocation

Abstract: Revocation is a vital open problem in almost every cryptosystem dealing with malicious behaviors. In ciphertext policy attribute based encryption, unlike traditional public key cryptosystem, different users may hold the same functional secret keys related with the same attribute set leading to additional difficulties in designing revocation mechanism. In this paper, we propose the ciphertext policy attribute based encryption scheme with efficient revocation which can be proved secure in the standard model. Our construction uses linear secret sharing and binary tree techniques as the underlying tools. In addition to assigned attribute set, each user is also assigned with a unique identifier. Therefore, a user can be easily revoked by using his/her unique identifier; on the other hand, the encryption and decryption algorithms of ABE (Attribute Based Encryption) can be done without any involvement of these unique identifiers. Then, we prove the chosen plaintext security of our construction based on Decisional Bilinear Diffie-Hellman (DBDH) assumption in the standard model. Finally, we provide some discussion on the efficiency of our scheme and the extensions including delegation capability and chosen ciphertext security.

Practical Fault Attack on a Cryptographic LSI with ISO/IEC 18033-3 Block Ciphers

Abstract: This paper presents practical fault attack results on six kinds of block ciphers listed in ISO/IEC 18033-3 that are implemented on an LSI: AES, DES, Camellia, CAST-128, SEED, and MISTY1. We developed an experimental environment that injects faults into any desired round by supplying a clock signal with a glitch. We examined practical attack assumptions and the fault model based on experimental results. We also succeeded in recovering AES keys in the LSI using Piret's attack, which uses only one faulty cipher text obtained using the proposed experimental environment.

Anonymous Hierarchical Identity-Based Encryption with Constant Size Ciphertexts

Abstract: We propose an anonymous Hierarchical Identity-Based Encryption (anonymous HIBE) scheme that has constant size ciphertexts. This means the size of the ciphertext does not depend on the depth of the hierarchy. Moreover, our scheme achieves the lowest computational cost because during the decryption phase the computational cost of decryption is constant. The security can be proven under reasonable assumptions without using random oracles because it is based on the composite order bilinear group. Our scheme achieves selective-ID security notion.

Information hiding based on double random-phase encoding and public-key cryptography

Abstract: A novel information hiding method based on double random-phase encoding (DRPE) and Rivest-Shamir-Adleman (RSA) public-key cryptosystem is proposed In the proposed technique, the inherent diffusion property of DRPE is cleverly utilized to make up the diffusion insufficiency of RSA public-key cryptography, while the RSA cryptosystem is utilized for simultaneous transmission of the cipher text and the two phase-masks, which is not possible under the DRPE technique This technique combines the complementary advantages of the DPRE and RSA encryption techniques and brings security and convenience for efficient information transmission Extensive numerical simulation results are presented to verify the performance of the proposed technique