Identity-Based Encryption Secure against Selective Opening Attack

Bellare, Mihir; Waters, Brent; Yilek, Scott

doi:10.1007/978-3-642-19571-6_15

Cited by 81 publications

(121 citation statements)

References 34 publications

(74 reference statements)

Supporting

Mentioning

120

Contrasting

Order By: Relevance

“…The general subgroup decision assumption for composite order bilinear groups (formulated in [3]) is a family of static complexity assumptions based on the intuition that it should be hard to determine which components are present in a random group element, except for what can be trivially determined by testing for orthogonality with other given group elements. More precisely, for each non-empty subset S ⊆ [m], there is an associated subgroup of order ∏ i∈S p i in G, which we will denote by G S .…”

Section: General Subgroup Decision Assumptionmentioning

confidence: 99%

“…Recently, several cryptosystems have been constructed in composite order bilinear groups and proven secure from instances (and close variants) of the general subgroup decision assumption defined in [3]. For example, the systems presented in [27,25,29,28,26] provide diverse and advanced functionalities like identity-based encryption (IBE), hierarchical identity-based encryption (HIBE), and attribute-based encryption with strong security guarantees (e.g.…”

Section: Introductionmentioning

confidence: 99%

“…First, the step of translating the assumptions often does not result in standard assumptions like DLIN. A reduction to DLIN is only provided for the most basic variant of the subgroup decision assumption, and does not extend (for example) to the general subgroup decision assumption from [3]. Second, the step of translating the proof fails for many schemes, including all of the recent composite order schemes employing the dual system encryption proof methodology [27,25,29,28,26].…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Lewko

2012

Lecture Notes in Computer Science

184

206

View full text Add to dashboard Cite

In this paper, we explore a general methodology for converting composite order pairingbased cryptosystems into the prime order setting. We employ the dual pairing vector space approach initiated by Okamoto and Takashima and formulate versatile tools in this framework that can be used to translate composite order schemes for which the prior techniques of Freeman were insufficient. Our techniques are typically applicable for composite order schemes relying on the canceling property and proven secure from variants of the subgroup decision assumption, and will result in prime order schemes that are proven secure from the decisional linear assumption. As an instructive example, we obtain a translation of the Lewko-Waters composite order IBE scheme. This provides a close analog of the BonehBoyen IBE scheme that is proven fully secure from the decisional linear assumption. We also provide a translation of the Lewko-Waters unbounded HIBE scheme.

show abstract

Section: General Subgroup Decision Assumptionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Lewko

2012

Lecture Notes in Computer Science

184

206

View full text Add to dashboard Cite

show abstract

“…However, we also show that our approach leads to a direct construction of hidden-vector encryption HVE, a generalization of anonymous IBE introduced by [BW07]. The scheme is set in composite order bilinear groups and is proven secure under the general subgroup decision assumption [BWY11]. Our scheme is similar to IND-secure constructions (see [OT12,DCIP13]) except that it uses additional subgroups.…”

Section: Simulation-secure Hidden Vector Encryptionmentioning

confidence: 80%

“…In this section we show that assumptions 1, 2, 3 and 4 are special cases of the General Subgroup Decision Assumption introduced by Bellare et al [BWY11] that is defined for bilinear groups of composite order product of m distinct primes, p 1 , . .…”

Section: B1 General Subgroup Decision Assumptionmentioning

confidence: 97%

On the Achievability of Simulation-Based Security for Functional Encryption

Iovino

Jain

et al. 2013

Advances in Cryptology – CRYPTO 2013

View full text Add to dashboard Cite

Abstract. Recently, there has been rapid progress in the area of functional encryption (FE), in which a receiver with secret-key sky can compute from an encryption of x the value F (x, y) for some functionality F . Two central open questions that remain are: (1) Can we construct FE secure under an indistinguishability-based (IND) security notion for general circuits? (2) To what extent can we achieve a simulation-based (SIM) security notion for FE? Indeed, it was previously shown that IND-security for FE is too weak for some functionalities , but that there exist striking impossibility results for SIM-security [Boneh et al. -TCC'11, Agrawal et al. -ePrint 2012]. Our work establishes a connection between these questions by giving a compiler that transforms any IND-secure FE scheme for general circuits into one that is SIM-secure for general circuits.-In the random oracle model, our resulting scheme is SIM-secure for an unbounded number of ciphertexts and key-derivation queries. We achieve this result by starting from an IND-secure FE scheme for general circuits with random oracle gates. -In the standard model, our resulting scheme is secure for a bounded number of ciphertexts and non-adaptive key-derivation queries (i.e., those made before seeing the challenge ciphertexts), but an unbounded number of adaptive key-derivation queries. These parameters match the known impossibility results for SIM-secure FE and improve upon the parameters achieved by Gorbunov et al. [CRYPTO'12]. The techniques for our compiler are inspired by constructions of non-committing encryption [Nielsen -CRYPTO '02] and the celebrated Feige-Lapidot-Shamir paradigm [FOCS'90] for obtaining zeroknowledge proof systems from witness-indistinguishable proof systems. Our compiler in the standard model requires an IND-secure FE scheme for general circuits, it leaves open the question of whether we can obtain SIM-secure FE for special cases of interest under weaker assumptions. To this end, we next show that our approach leads to a direct construction of SIM-secure hidden vector encryption (an important special case of FE that generalizes anonymous identity-based encryption). The scheme, which is set in composite order bilinear groups under subgroup decision assumptions, achieves security for a bounded number of ciphertexts but unbounded number of both non-adaptive and adaptive key-derivation queries, again matching the known impossibility results. In particular, to our knowledge this is the first construction of SIM-secure FE (for any non-trivial functionality) in the standard model handling an unbounded number of adaptive key-derivation queries. Finally, we revisit the negative results for SIM-secure FE. We observe that the known results leave open the possibility of achieving SIM-security for various natural formulations of security (such as non-black-box simulation for non-adaptive adversaries). We settle these questions in the negative, thus providing essentially a full picture of the (un)achievability of SIM-security.

show abstract

Public‐key encryption scheme with selective opening chosen‐ciphertext security based on the Decisional Diffie–Hellman assumption

Liu

Zhang

Chen

2013

Concurrency and Computation

View full text Add to dashboard Cite

SUMMARYChosen‐ciphertext security has been well‐accepted as a standard security notion for public‐key encryption. But in a multi‐user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the plaintexts used to generate ciphertexts. The attack is named ‘selective opening attack’. We study how to achieve full‐fledged chosen‐ciphertext security in selective opening setting directly from the Decisional Diffie–Hellman assumption. Our construction is actually a tag‐based public‐key encryption scheme free of chameleon hashing and has a tight security reduction to the Decisional Diffie–Hellman assumption and the collision‐resistant assumption of hash functions. The tag for each ciphertext is generated in a flexible way to serve the chosen‐ciphertext security proof in selective opening settings. Copyright © 2013 John Wiley & Sons, Ltd.

show abstract

Identity-Based Encryption Secure against Selective Opening Attack

Cited by 81 publications

References 34 publications

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

Tools for Simulating Features of Composite Order Bilinear Groups in the Prime Order Setting

On the Achievability of Simulation-Based Security for Functional Encryption

Public‐key encryption scheme with selective opening chosen‐ciphertext security based on the Decisional Diffie–Hellman assumption

Contact Info

Product

Resources

About