Showing papers on "Plaintext-aware encryption published in 2011"

Order-preserving encryption revisited: improved security analysis and alternative solutions

Abstract: We further the study of order-preserving symmetric encryption (OPE), a primitive for allowing efficient range queries on encrypted data, recently initiated (from a cryptographic perspective) by Boldyreva et al. (Eurocrypt'09). First, we address the open problem of characterizing what encryption via a random order-preserving function (ROPF) leaks about underlying data (ROPF being the "ideal object" in the security definition, POPF, satisfied by their scheme.) In particular, we show that, for a database of randomly distributed plaintexts and appropriate choice of parameters, ROPF encryption leaks neither the precise value of any plaintext nor the precise distance between any two of them. The analysis here is quite technically non-trivial and introduces useful new techniques. On the other hand, we also show that ROPF encryption does leak both the value of any plaintext as well as the distance between any two plaintexts to within a range of possibilities roughly the square root of the domain size. We then study schemes that are not order-preserving, but which nevertheless allow efficient range queries and achieve security notions stronger than POPF. In a setting where the entire database is known in advance of key-generation (considered in several prior works), we show that recent constructions of "monotone minimal perfect hash functions" allow to efficiently achieve (an adaptation of) the notion of IND-O(rdered) CPA also considered by Boldyreva et al., which asks that only the order relations among the plaintexts is leaked. Finally, we introduce modular order-preserving encryption (MOPE), in which the scheme of Boldyreva et al. is prepended with a shift cipher. MOPE improves the security of OPE in a sense, as it does not leak any information about plaintext location. We clarify that our work should not be interpreted as saying the original scheme of Boldyreva et al., or the variants that we introduce, are "secure" or "insecure." Rather, the goal of this line of research is to help practitioners decide whether the options provide a suitable security-functionality tradeoff for a given application.

Expressive key-policy attribute-based encryption with constant-size ciphertexts

Abstract: Attribute-based encryption (ABE), as introduced by Sahai and Waters, allows for fine-grained access control on encrypted data. In its key-policy flavor, the primitive enables senders to encrypt messages under a set of attributes and private keys are associated with access structures that specify which ciphertexts the key holder will be allowed to decrypt. In most ABE systems, the ciphertext size grows linearly with the number of ciphertext attributes and the only known exceptions only support restricted forms of threshold access policies. This paper proposes the first key-policy attribute-based encryption (KP-ABE) schemes allowing for non-monotonic access structures (i.e., that may contain negated attributes) and with constant ciphertext size. Towards achieving this goal, we first show that a certain class of identity-based broadcast encryption schemes generically yields monotonic KPABE systems in the selective set model. We then describe a new efficient identity-based revocation mechanism that, when combined with a particular instantiation of our general monotonic construction, gives rise to the first truly expressive KP-ABE realization with constant-size ciphertexts. The downside of these new constructions is that private keys have quadratic size in the number of attributes. On the other hand, they reduce the number of pairing evaluations to a constant, which appears to be a unique feature among expressive KP-ABE schemes.

Semi-homomorphic encryption and multiparty computation

Abstract: An additively-homomorphic encryption scheme enables us to compute linear functions of an encrypted input by manipulating only the ciphertexts. We define the relaxed notion of a semi-homomorphic encryption scheme, where the plaintext can be recovered as long as the computed function does not increase the size of the input "too much". We show that a number of existing cryptosystems are captured by our relaxed notion. In particular, we give examples of semi-homomorphic encryption schemes based on lattices, subset sum and factoring. We then demonstrate how semi-homomorphic encryption schemes allow us to construct an efficient multiparty computation protocol for arithmetic circuits, UC-secure against a dishonest majority. The protocol consists of a preprocessing phase and an online phase. Neither the inputs nor the function to be computed have to be known during preprocessing. Moreover, the online phase is extremely efficient as it requires no cryptographic operations: the parties only need to exchange additive shares and verify information theoretic MACs. Our contribution is therefore twofold: from a theoretical point of view, we can base multiparty computation on a variety of different assumptions, while on the practical side we offer a protocol with better efficiency than any previous solution.

Functional encryption for inner product predicates from learning with errors

Abstract: We propose a lattice-based functional encryption scheme for inner product predicates whose security follows from the difficulty of the learning with errors (LWE) problem. This construction allows us to achieve applications such as range and subset queries, polynomial evaluation, and CNF/DNF formulas on encrypted data. Our scheme supports inner products over small fields, in contrast to earlier works based on bilinear maps. Our construction is the first functional encryption scheme based on lattice techniques that goes beyond basic identity-based encryption. The main technique in our scheme is a novel twist to the identity-based encryption scheme of Agrawal, Boneh and Boyen (Eurocrypt 2010). Our scheme is weakly attribute hiding in the standard model.

Privacy-Friendly Energy-Metering via Homomorphic Encryption

Abstract: The first part of this paper discusses developments wrt. smart (electricity) meters (simply called E-meters) in general, with emphasis on security and privacy issues. The second part will be more technical and describes protocols for secure communication with E-meters and for fraud detection (leakage) in a privacy-preserving manner. Our approach uses a combination of Paillier's additive homomorphic encryption and additive secret sharing to compute the aggregated energy consumption of a given set of users.

Fully secure cipertext-policy hiding CP-ABE

Abstract: In ciphertext-policy attributed-based encryption (CP-ABE), each ciphertext is labeled by the encryptor with an access structure (also called ciphertext policy) and each private key is associated with a set of attributes. A user should be able to decrypt a ciphertext if and only if his private key attributes satisfy the access structure. The traditional security property of CP-ABE is plaintext privacy, which ciphertexts reveal no information about the underlying plaintext. At ACNS'08, Nishide, Yoneyama and Ohta introduced the notion of ciphertext-policy hiding CP-ABE. In addition to protecting the privacy of plaintexts, ciphertext-policy hiding CP-ABE also protects the description of the access structures associated with ciphertexts. They observed that ciphertext-policy hiding CP-ABE can be constructed from attribute-hiding inner-product predicate encryption (PE), and presented two constructions of ciphertext-policy hiding CP-ABE supporting restricted access structures, which can be expressed as AND gates on multi-valued attributes with wildcards. However, their schemes were only proven selectively secure. In this paper, we first describe the construction of ciphertext-policy hiding CP-ABE from attribute-hiding inner-product PE formally. Then, we propose a concrete construction of ciphertext-policy hiding CP-ABE supporting the same access structure as that of Nishide, Yoneyama and Ohta, but our scheme is proven fully secure.

Computing Blindfolded: New Developments in Fully Homomorphic Encryption

Abstract: A fully homomorphic encryption scheme enables computation of arbitrary functions on encrypted data. Fully homomorphic encryption has long been regarded as cryptography's prized "holy grail" - extremely useful yet rather elusive. Starting with the groundbreaking work of Gentry in 2009, the last three years have witnessed numerous constructions of fully homomorphic encryption involving novel mathematical techniques, and a number of exciting applications. We will take the reader through a journey of these developments and provide a glimpse of the exciting research directions that lie ahead.

Efficient ciphertext policy attribute-based encryption with constant-size ciphertext and constant computation-cost

Abstract: Attribute-based encryption provides good solutions to the problem of anonymous access control by specifying access policies among private keys or ciphertexts over encrypted data. In ciphertext-policy attribute-based encryption (CP-ABE), each user is associated with a set of attributes, and data is encrypted with access structures on attributes. A user is able to decrypt a ciphertext if and only if his attributes satisfy the ciphertext access structure. CP-ABE is very appealing since the ciphertext and data access policies are integrated together in a natural and effective way. Most current CP-ABE schemes incur large ciphertext size and computation costs in the encryption and decryption operations which depend at least linearly on the number of attributes involved in the access policy. In this paper, we present two new CP-ABE schemes, which have both constant-size ciphertext and constant computation costs for a nonmonotone AND gate access policy, under chosen plaintext and chosen ciphertext attacks. The security of first scheme can be proven CPA-secure in standard model under the decision n-BDHE assumption. And the security of second scheme can be proven CCA-secure in standard model under the decision n-BDHE assumption and the existence of collision-resistant hash functions. Our scheme can also be extended to the decentralizing multi-authority setting.

Lossy encryption: constructions from general assumptions and efficient selective opening chosen ciphertext security

Abstract: Lossy encryption was originally studied as a means of achieving efficient and composable oblivious transfer. Bellare, Hofheinz and Yilek showed that lossy encryption is also selective opening secure. We present new and general constructions of lossy encryption schemes and of cryptosystems secure against selective opening adversaries. We show that every re-randomizable encryption scheme gives rise to efficient encryptions secure against a selective opening adversary. We show that statistically-hiding 2-round Oblivious Transfer implies Lossy Encryption and so do smooth hash proof systems. This shows that private information retrieval and homomorphic encryption both imply Lossy Encryption, and thus Selective Opening Secure Public Key Encryption. Applying our constructions to well-known cryptosystems, we obtain selective opening secure commitments and encryptions from the Decisional Diffie-Hellman, Decisional Composite Residuosity and Quadratic Residuosity assumptions. In an indistinguishability-based model of chosen-ciphertext selective opening security, we obtain secure schemes featuring short ciphertexts under standard number theoretic assumptions. In a simulation-based definition of chosen-ciphertext selective opening security, we also handle non-adaptive adversaries by adapting the Naor-Yung paradigm and using the perfect zero-knowledge proofs of Groth, Ostrovsky and Sahai.

Better security for deterministic public-key encryption: the auxiliary-input setting

Abstract: Deterministic public-key encryption, introduced by Bellare, Boldyreva, and O'Neill (CRYPTO '07), provides an alternative to randomized public-key encryption in various scenarios where the latter exhibits inherent drawbacks. A deterministic encryption algorithm, however, cannot satisfy any meaningful notion of security when the plaintext is distributed over a small set. Bellare et al. addressed this difficulty by requiring semantic security to hold only when the plaintext has high min-entropy from the adversary's point of view. In many applications, however, an adversary may obtain auxiliary information that is related to the plaintext. Specifically, when deterministic encryption is used as a building block of a larger system, it is rather likely that plaintexts do not have high min-entropy from the adversary's point of view. In such cases, the framework of Bellare et al. might fall short from providing robust security guarantees. We formalize a framework for studying the security of deterministic public-key encryption schemes with respect to auxiliary inputs. Given the trivial requirement that the plaintext should not be efficiently recoverable from the auxiliary input, we focus on hard-to-invert auxiliary inputs. Within this framework, we propose two schemes: the first is based on the decisional Diffie-Hellman (and, more generally, on the d-linear) assumption, and the second is based on a rather general class of subgroup indistinguishability assumptions (including, in particular, quadratic residuosity and Paillier's composite residuosity). Our schemes are secure with respect to any auxiliary input that is subexponentially hard to invert (assuming the standard hardness of the underlying computational assumptions). In addition, our first scheme is secure even in the multi-user setting where related plaintexts may be encrypted under multiple public keys. Constructing a scheme that is secure in the multi-user setting (even without considering auxiliary inputs) was identified by Bellare et al. as an important open problem.

Secure Image Encryption without Size Limitation Using Arnold Transform and Random Strategies

Abstract: Encryption is an efficient way to protect the contents of digital media. Arnold transform is a significant technique of image encryption, but has weaknesses in security and applications to images of any size. To solve these problems, we propose an image encryption scheme using Arnold transform and random strategies. It is achieved by dividing the image into random overlapping square blocks, generating random iterative numbers and random encryption order, and scrambling pixels of each block using Arnold transform. Experimental results show that the proposed encryption scheme is robust and secure. It has no size limitation, indicating the application to any size images.

On CCA-Secure somewhat homomorphic encryption

Abstract: It is well known that any encryption scheme which supports any form of homomorphic operation cannot be secure against adaptive chosen ciphertext attacks The question then arises as to what is the most stringent security definition which is achievable by homomorphic encryption schemes Prior work has shown that various schemes which support a single homomorphic encryption scheme can be shown to be IND-CCA1, ie secure against lunchtime attacks In this paper we extend this analysis to the recent fully homomorphic encryption scheme proposed by Gentry, as refined by Gentry, Halevi, Smart and Vercauteren We show that the basic Gentry scheme is not IND-CCA1; indeed a trivial lunchtime attack allows one to recover the secret key We then show that a minor modification to the variant of the somewhat homomorphic encryption scheme of Smart and Vercauteren will allow one to achieve IND-CCA1, indeed PA-1, in the standard model assuming a lattice based knowledge assumption We also examine the security of the scheme against another security notion, namely security in the presence of ciphertext validity checking oracles; and show why CCA-like notions are important in applications in which multiple parties submit encrypted data to the "cloud" for secure processing

Inner-product encryption under standard assumptions

Abstract: Predicate encryption is a generalized notion for public key encryption that enables one to encrypt attributes as well as a message. In this paper, we present a new inner-product encryption (IPE) scheme, as a specialized predicate encryption scheme, whose security relies on the well-known Decision Bilinear Diffie-Hellman (BDH) and Decision Linear assumptions. Our IPE scheme uses prime order groups equipped with a bilinear map and works in both symmetric and asymmetric bilinear maps. Our result is the first construction of IPE under the standard assumptions. Prior to our work, all IPE schemes known to date require non-standard assumptions to prove security, and moreover some of them use composite-order groups. To achieve our goal, we introduce a novel technique for attribute-hiding, which may be of independent interest.

Index-based symmetric DNA encryption algorithm

Abstract: In this paper, a new index-based symmetric DNA encryption algorithm has been proposed. Adopting the methods of Block-Cipher and Index of string, the algorithm encrypts the DNA-sequence-based plaintext. First, the algorithm encodes each character into ASCII codes. And then, according to the nucleotide sequence, the researcher should convert it to the DNA coding. Besides, the researcher selects the special DNA sequence as the encryption index, and likewise, the pretreated plaintext will be divided into different groups. Next, the key created by the Chaos Key Generator based on the Logistic Mapping and initialized by the number x 0 and μ, will take XOR operation with the block-plaintext. The type of number x 0 and μ, which is selected by the researcher, is double. Then, the result of these processes will be translated on the DNA sequence. In addition, compared to special DNA sequence, the algorithm finds the sequence which has no difference with it. Then, the algorithm will store the position as the Cipher-text. The researcher proves the validity of the algorithm through simulation and the theoretical analysis, including bio-security and math-security. The algorithm has a huge key space, high sensitivity to plaintext, and an extremely great effect on encryption. Also, it has been proved that the algorithm has achieved the computing-security level in the encryption security estimating system.

Identity-based online/offline key encapsulation and encryption

Abstract: An identity-based online/offline encryption (IBOOE) scheme splits the encryption process into two phases. The first phase performs most of the heavy computations, such as modular exponentiation or pairing over points on elliptic curve. The knowledge of the plaintext or the receiver's identity is not required until the second phase, where the ciphertext is produced by only light computations, such as integer addition/multiplication or hashing. This division of computations makes encryption affordable by devices with limited computation power since the preparation works can be executed "offline" or possibly by some powerful devices. The identity-based (ID-based) nature of the scheme also allows the preparation of ciphertext without certificate verification.Since efficiency is the main concern, less burden in the computation requirements of all phases (i.e., both phases of encryption and the decryption phase) and smaller ciphertext size are desirable. In this paper, we propose new schemes with improved efficiency over previous schemes by assuming random oracles. Our first construction is a very efficient scheme secure against chosen-plaintext attack (CPA), which is just slightly modified from an existing scheme. We then proceed to propose a new notion called ID-based Online/Offline KEM (IBOOKEM) that allows the key encapsulation process to be split into offline and online stages, in the same way as IBOOE does. We also present a generic transformation to get security against chosen-ciphertext attack (CCA) for IBOOE from any IBOOKEM scheme with one-wayness only. Our schemes (both CPA and CCA) are the most efficient one in the state-of-the-art, in terms of online computation and ciphertext size, which are the two main focuses of online/offline schemes. Our schemes are very suitable to be deployed on embedded devices such as smartcard or wireless sensor which have very limited computation powers and the communication bandwidth is very expensive.

Identity-Based Conditional Proxy Re-Encryption

Abstract: This paper proposes a new cryptographic primitive, named identity-based conditional proxy re-encryption (IBCPRE). In this primitive, a proxy with some information (a.k.a. re-encryption key) is allowed to transform a subset of ciphertexts under an identity to other ciphertexts under another identity. Due to the specific transformation, IBCPRE is very useful in encrypted email forwarding. Furthermore, we propose a concrete IBCPRE scheme based on Boneh-Franklin identity-based encryption. The proposed IBCPRE scheme is secure against the chosen ciphertext and identity attack in the random oracle.

On the Security of Randomized Arithmetic Codes Against Ciphertext-Only Attacks

Abstract: Modifications of arithmetic coding (AC) have been proposed to improve the security of traditional AC. Two main modifications to AC are randomized AC (RAC) and AC with key-based interval splitting (KSAC). Chosen-plaintext attacks have been proposed for these two methods when the same key is used to encrypt different messages. We first give a definition for security of encryption using AC that is based on the inability of the adversary to distinguish between the encryption of one plaintext from the encryption of another. Using this definition, we prove that RAC is insecure even if a new random key is used to compress every message. Our proof assumes that the adversary can only eavesdrop on the ciphertext and cannot request encryptions of chosen-plaintexts. We then prove that the method of first-compress-then-encrypt, where the encryption is performed by a bitwise xor of the compressed output with a pseudorandom bit sequence, is provably secure with respect to chosen-plaintext attacks. If the pseudorandom bit sequence is derived in advance using Advanced Encryption Standard (AES) in the counter mode, then the first-compress-then-encrypt method results in a performance penalty of only a few two input xor-gate delays.

Hidden access structure ciphertext policy attribute based encryption with constant length ciphertext

Abstract: In Cipher text Policy Attribute Based Encryption (CP-ABE) scheme, a user is able to decrypt the cipher text only if the pre-specified access structure (also called ciphertext policy) in the ciphertext, matches the attributes defined in the secret key. However, the limitation of the scheme is that the receiver's anonymity is sacrificed as the access structure of the ciphertext reveals the same. The obvious solution to this problem as proposed by proposed by Nishide et al, is to hide ciphertext-policy (hidden access structure). However, although this solution uses reasonably computable decryption policies, it generates the ciphertext of size that is at least, linearly varying with the number of attributes. It also requires additional pairing operations during decryption. We attempt to overcome these limitations in the proposed scheme viz. Ciphertext Policy Attribute Based Encryption with Constant Length (CP-ABE-CL). In our scheme, the ciphertext and secret key remain constant in length, irrespective of the number of attributes chosen. In addition, the decryption algorithm requires fewer and fixed number of pairing operations. Our scheme works for a threshold case: the number of attributes (excluding wildcard attributes) in a policy must be a subset of attributes in a secret key. The proposed scheme supports the positive, negative and wildcard attributes in policy.

Lower and upper bounds for deniable public-key encryption

Abstract: A deniable cryptosystem allows a sender and a receiver to communicate over an insecure channel in such a way that the communication is still secure even if the adversary can threaten the parties into revealing their internal states after the execution of the protocol. This is done by allowing the parties to change their internal state to make it look like a given ciphertext decrypts to a message different from what it really decrypts to. Deniable encryption was in this way introduced to allow to deny a message exchange and hence combat coercion. Depending on which parties can be coerced, the security level, the flavor and the number of rounds of the cryptosystem, it is possible to define a number of notions of deniable encryption. In this paper we prove that there does not exist any non-interactive receiver-deniable cryptosystem with better than polynomial security. This also shows that it is impossible to construct a non-interactive bi-deniable public-key encryption scheme with better than polynomial security. Specifically, we give an explicit bound relating the security of the scheme to how efficient the scheme is in terms of key size. Our impossibility result establishes a lower bound on the security. As a final contribution we give constructions of deniable public-key encryption schemes which establishes upper bounds on the security in terms of key length. There is a gap between our lower and upper bounds, which leaves the interesting open problem of finding the tight bounds.

Threshold and revocation cryptosystems via extractable hash proofs

Abstract: We present a new unifying framework for constructing noninteractive threshold encryption and signature schemes, as well as broadcast encryption schemes, and in particular, derive several new cryptosystems based on hardness of factoring, including: - a threshold signature scheme (in the random oracle model) that supports ad-hoc groups (i.e., exponential number of identities and the set-up is independent of the total number of parties) and implements the standard Rabin signature; - a threshold encryption scheme that supports ad-hoc groups, where encryption is the same as that in the Blum-Goldwasser cryptosystem and therefore more efficient than RSA-based implementations; - a CCA-secure threshold encryption scheme in the random oracle model; - a broadcast encryption scheme (more precisely, a revocation cryptosystem) that supports ad-hoc groups, whose complexity is comparable to that of the Naor-Pinkas scheme; moreover, we provide a variant of the construction that is CCA-secure in the random oracle model. Our framework rests on a new notion of threshold extractable hash proofs. The latter can be viewed as a generalization of the extractable hash proofs, which are a special kind of non-interactive zero-knowledge proof of knowledge.

International data encryption algorithm (idea) - a typical illustration

Abstract: There are several symmetric and asymmetric data encryption algorithms. IDEA (International Data Encryption Algorithm) is one of the strongest secret-key block ciphers. In this article, I try to represent the existing IDEA algorithm in a different way. In the following illustration, we would see how the encryption can be expressed in a simpler way.

A ciphertext policy attribute-based encryption scheme without pairings

Abstract: Sahai and Waters [34] proposed Attribute-Based Encryption (ABE) as a new paradigm of encryption algorithms that allow the sender to set a policy to describe who can read the secret data. In recent years, lots of attribute-based schemes appeared in literatures, but almost all the schemes, to the best of our knowledge, are constructed from pairings. In this work, we present a ciphertext policy attribute-based encryption (CP-ABE) scheme, which supports and-gates without pairings. Our scheme is defined on q-ary lattices, and has a very strong security proof based on worst-case hardness. More precisely, under the learning with errors (LWE) assumption, our CP-ABE scheme is secure against chosen plaintext attack in the selective access structure model. Though our scheme only encrypts one bit at a time, we point out that it can support multi-bit encryption by using a well-known technique. Besides, our result can be easily extended to ideal lattices for a better efficiency.

Cryptanalysis of the Smart-Vercauteren and Gentry-Halevi's Fully Homomorphic Encryption.

Abstract: For the fully homomorphic encryption schemes in [3, 6], this paper presents attacks to solve an equivalent secret key and directly recover plaintext from ciphertext for lattice dimensions n=2048 with lattice reduction algorithm. Given the average-case behavior of LLL in [8] is true, then their schemes are also not secure for n=8192.

Performance analysis of a selective encryption algorithm for wireless ad hoc networks

Abstract: Symmetric key algorithms are a typically efficient and fast cryptosystem, so it has significant applications in many realms. For a wireless ad hoc network with constraint computational resources, the cryptosystem based on symmetric key algorithms is extremely suitable for such an agile and dynamic environment, along with other security strategies. In this paper, we introduce the concept of selective encryption into the design of data protection mechanisms. First, we present the principle of selective encryption and propose a probabilistically selective encryption algorithm based on symmetric key. By utilizing probabilistic methodology and stochastic algorithm, a sender includes proper uncertainty in the process of message encryption, so that only entrusted receiver can decrypt the ciphertext and other unauthorized nodes have no knowledge of the transmitted messages on the whole. In addition, we also employ other security mechanisms to enhance the security of our proposed scheme. Eventually, we carry out an extensive set of simulation experiments based on ns2 simulator, and our simulation indicates that the technique of selective algorithms can indeed improve the efficiency of message encryption.

A new chaos-based cryptosystem for secure transmitted images

Abstract: This paper presents a novel and robust chaos-based cryptosystem for secure transmitted images and four other versions. In the proposed block encryption/decryption algorithm, a 2D chaotic map is used to shuffle the image pixel positions. Then, substitution (confusion) and permutation (diffusion) operations on every block, with multiple rounds, are combined using two perturbed chaotic PWLCM maps. The perturbing orbit technique improves the statistical properties of encrypted images. The obtained error propagation in various standard cipher block modes demonstrates that the proposed cryptosystem is suitable to transmit cipher data over a corrupted digital channel. Finally, to quantify the security level of the proposed cryptosystem, many tests are performed and experimental results show that the suggested cryptosystem has a high security level.

An Efficient Approach for DNA Fractal-based Image Encryption

Abstract: Security of the image information has become more and more important. At present, researchers have paid much attention to DNA cryptography-based image encryption. In this paper, an efficient encryption approach is proposed, in which, we do not use DNA biological operation to implement image encryption, but DNA sequences are used as the secret keys. The permutation process is implemented by using Hao’s fractal sequence representation and the diffusion process is used to alter the gray values. According to the simulation experiment and performance analysis, this approach is feasible and effective.