The Experts below are selected from a list of 15252 Experts worldwide ranked by ideXlab platform
Robert H. Deng - One of the best experts on this subject based on the ideXlab platform.
-
An Efficient and Expressive Ciphertext-Policy Attribute-Based Encryption Scheme with Partially Hidden Access Structures
Provable Security, 2016Co-Authors: Hui Cui, Robert H. Deng, Guowei Wu, Junzuo LaiAbstract:A promising solution to protect data privacy in cloud storage services is known as Ciphertext-policy attribute-based encryption (CP-ABE). However, in a traditional CP-ABE scheme, a Ciphertext is bound with an explicit access structure, which may leak private information about the underlying plaintext in that anyone having access to the Ciphertexts can tell the attributes of the privileged recipients by looking at the access structures. A notion called CP-ABE with partially hidden access structures [14, 15, 18, 19, 24] was put forth to address this problem, in which each attribute consists of an attribute name and an attribute value and the specific attribute values of an access structure are hidden in the Ciphertext. However, previous CP-ABE schemes with partially hidden access structures only support access structures in AND gates, whereas a few other schemes supporting expressive access structures are computationally inefficient since they are built from bilinear pairings over the composite-order groups. In this paper, we focus on addressing this problem, and present an expressive CP-ABE scheme with partially hidden access structures in prime-order groups.
-
fully secure key policy attribute based encryption with constant size Ciphertexts and fast decryption
Computer and Communications Security, 2014Co-Authors: Junzuo Lai, Robert H. Deng, Jian WengAbstract:Attribute-based encryption (ABE), introduced by Sahai and Waters, is a promising cryptographic primitive, which has been widely applied to implement fine-grained access control system for encrypted data. In its key-policy flavor, attribute sets are used to annotate Ciphertexts and secret keys are associated with access structures that specify which Ciphertexts a user is entitled to decrypt. In most existing key-policy attribute-based encryption (KP-ABE) constructions, the size of the Ciphertext is proportional to the number of attributes associated with it and the decryption cost is proportional to the number of attributes used during decryption. In this paper, we present a new construction of KP-ABE. Our proposed construction is the first KP-ABE scheme, which has the following features simultaneously: expressive (i.e., supporting arbitrary monotonic access structures); fully secure in the standard model; constant-size Ciphertexts and fast decryption. The downside of our construction is that secret keys have quadratic size in the number of attributes.
-
Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage
IEEE Transactions on Parallel and Distributed Systems, 2014Co-Authors: Cheng Kang Chu, Wen-guey Tzeng, Sherman S. M. Chow, Jianying Zhou, Robert H. DengAbstract:Data sharing is an important functionality in cloud storage. In this paper, we show how to securely, efficiently, and flexibly share data with others in cloud storage. We describe new public-key cryptosystems that produce constant-size Ciphertexts such that efficient delegation of decryption rights for any set of Ciphertexts are possible. The novelty is that one can aggregate any set of secret keys and make them as compact as a single key, but encompassing the power of all the keys being aggregated. In other words, the secret key holder can release a constant-size aggregate key for flexible choices of Ciphertext set in cloud storage, but the other encrypted files outside the set remain confidential. This compact aggregate key can be conveniently sent to others or be stored in a smart card with very limited secure storage. We provide formal security analysis of our schemes in the standard model. We also describe other application of our schemes. In particular, our schemes give the first public-key patient-controlled encryption for flexible hierarchy, which was yet to be known.
-
adaptable Ciphertext policy attribute based encryption
International Conference on Pairing-based Cryptography, 2013Co-Authors: Junzuo Lai, Robert H. Deng, Yanjiang Yang, Jian WengAbstract:In this paper, we introduce a new cryptographic primitive, called adaptable Ciphertext-policy attribute-based encryption CP-ABE. Adaptable CP-ABE extends the traditional CP-ABE by allowing a semi-trusted proxy to modify a Ciphertext under one access policy into Ciphertexts of the same plaintext under any other access policies; the proxy, however, learns nothing about the underlying plaintext. With such "adaptability" possessed by the proxy, adaptable CP-ABE has many real world applications, such as handling policy changes in CP-ABE encryption of cloud data and outsourcing of CP-ABE encryption. Specifically, we first specify a formal model of adaptable CP-ABE; then, based on the CP-ABE scheme by Waters, we propose a concrete adaptable CP-ABE scheme and further prove its security under our security model.
-
dynamic secure cloud storage with provenance
Cryptography and Security, 2012Co-Authors: Sherman S. M. Chow, Cheng Kang Chu, Jianying Zhou, Xinyi Huang, Robert H. DengAbstract:One concern in using cloud storage is that the sensitive data should be confidential to the servers which are outside the trust domain of data owners. Another issue is that the user may want to preserve his/her anonymity in the sharing or accessing of the data (such as in Web 2.0 applications). To fully enjoy the benefits of cloud storage, we need a confidential data sharing mechanism which is fine-grained (one can specify who can access which classes of his/her encrypted files), dynamic (the total number of users is not fixed in the setup, and any new user can decrypt previously encrypted messages), scalable (space requirement does not depend on the number of decryptors), accountable (anonymity can be revoked if necessary) and secure (trust level is minimized). This paper addresses the problem of building a secure cloud storage system which supports dynamic users and data provenance. Previous system is based on specific constructions and does not offer all of the aforementioned desirable properties. Most importantly, dynamic user is not supported. We study the various features offered by cryptographic anonymous authentication and encryption mechanisms; and instantiate our design with verifier-local revocable group signature and identity-based broadcast encryption with constant size Ciphertexts and private keys. To realize our concept, we equip the broadcast encryption with the dynamic Ciphertext update feature, and give formal security guarantee against adaptive chosen-Ciphertext decryption and update attacks.
Kaitai Liang - One of the best experts on this subject based on the ideXlab platform.
-
a cloud based access control scheme withźuser revocation and attribute update
Australasian Conference on Information Security and Privacy, 2016Co-Authors: Peng Zhang, Kaitai Liang, Zehong Chen, Shulan Wang, Ting WangAbstract:Ciphertext-policy attribute-based encryption CP-ABE is a well-known cryptographic technology for guaranteeing data confidentiality but also fine-grained data access control. It enables data owners to define flexible access policy for cloud-based data sharing. However, the user revocation and attribute update problems existing in CP-ABE systems that are long-standing unsolved in the literature. In this paper, we propose the first access control CP-ABE scheme supporting user revocability and attribute update. Specifically, the user revocation is defined in the identity-based setting that does not conflict our attribute-based design. The cost brought by attribute update is efficient in the sense that we only concentrate on the update of the Ciphertexts associated with the corresponding updated attribute. Moreover, the security analysis shows that the proposed scheme is secure under the decisional Bilinear Diffie-Hellman assumption.
-
An Efficient Cloud-based Revocable Identity-based Proxy Re-encryption Scheme for Public Clouds Data Sharing
2015Co-Authors: Kaitai Liang, Duncan S Wong, Joseph K Liu, Willy SusiloAbstract:Abstract. Identity-based encryption (IBE) eliminates the necessity of having a costly certificate verification process. However, revocation re-mains as a daunting task in terms of Ciphertext update and key update phases as due to the lack of a certificate revocation list in this infrastruc-ture. In this paper, we provide an affirmative solution to solve the effi-ciency problem incurred by revocation. We propose the first cloud-based revocable identity-based proxy re-encryption (CR-IB-PRE) scheme that supports user revocation but also delegation of decryption rights. No matter a user is revoked or not, at the end of a given time period the cloud acting as a proxy will re-encrypt all Ciphertexts of the user under the current time period to the next time period. If the user is revoked in the forthcoming time period, he cannot decrypt the Ciphertexts by using the expired private key anymore. We state that this primitive is applica-ble to many practical network applications, such as subscription-based cloud storage services. Comparing to some naive solutions which require a private key generator (PKG) to interact with non-revoked users in each time period, the new scheme provides definite advantages in terms of communication and computation efficiency. Our scheme only requires the PKG to publish a constant-size public string for each time period and meanwhile, the workload of Ciphertexts update is off-loaded to the cloud server. More importantly, the scheme can be proven secure in the standard model. Key words: Revocable identity-based encryption, cloud-based revoca-ble identity-based proxy re-encryption, standard model
-
an efficient cloud based revocable identity based proxy re encryption scheme for public clouds data sharing
IACR Cryptology ePrint Archive, 2014Co-Authors: Kaitai Liang, Duncan S Wong, Joseph K Liu, Willy SusiloAbstract:Identity-based encryption (IBE) eliminates the necessity of having a costly certificate verification process. However, revocation remains as a daunting task in terms of Ciphertext update and key update phases. In this paper, we provide an affirmative solution to solve the efficiency problem incurred by revocation. We propose the first cloud-based revocable identity-based proxy re-encryption (CR-IB-PRE) scheme that supports user revocation but also delegation of decryption rights. No matter a user is revoked or not, at the end of a given time period the cloud acting as a proxy will re-encrypt all Ciphertexts of the user under the current time period to the next time period. If the user is revoked in the forthcoming time period, he cannot decrypt the Ciphertexts by using the expired private key anymore. Comparing to some naive solutions which require a private key generator (PKG) to interact with non-revoked users in each time period, the new scheme provides definite advantages in terms of communication and computation efficiency.
Qiang Tang - One of the best experts on this subject based on the ideXlab platform.
-
type based proxy re encryption and its construction
Lecture Notes in Computer Science, 2008Co-Authors: Qiang TangAbstract:Recently, the concept of proxy re-encryption has been shown very useful in a number of applications, especially in enforcing access control policies. In existing proxy re-encryption schemes, the delegatee can decrypt all Ciphertexts for the delegator after re-encryption by the proxy. Consequently, in order to implement fine-grained access control policies, the delegator needs to either use multiple key pairs or trust the proxy to behave honestly. In this paper, we extend this concept and propose type-based proxy re-encryption, which enables the delegator to selectively delegate his decryption right to the delegatee while only needs one key pair. As a result, type-based proxy re-encryption enables the delegator to implement fine-grained policies with one key pair without any additional trust on the proxy. We provide a security model for our concept and provide formal definitions for semantic security and Ciphertext privacy which is a valuable attribute in privacy-sensitive contexts. We propose two type-based proxy re-encryption schemes: one is CPA secure with Ciphertext privacy while the other is CCA secure without Ciphertext privacy.
-
type based proxy re encryption and its construction
CTIT technical report series, 2008Co-Authors: Qiang TangAbstract:Recently, the concept of proxy re-encryption has been shown very useful in a number of applications, especially in enforcing access control policies. In existing proxy re-encryption schemes, the delegatee can decrypt all Ciphertexts targeted to the delegator after re-encryption by the proxy. Consequently, in order to implement fine-grained access control policies, the delegator needs to either use multiple key pairs or trust the proxy to behave honestly. In this paper, we fine-grain this concept and propose type-based proxy re-encryption, which enables the delegator to selectively delegate his decryption right to the delegatee while only needs one key pair. As a result, type-based proxy re-encryption enables the delegator to implement fine-grained policies with one key pair without any additional trust on the proxy. We provide a security model for our concept and provide formal definitions for semantic security and Ciphertext privacy which is a valuable attribute in privacy-sensitive contexts. We propose two type-based proxy re-encryption schemes: one is CPA secure with Ciphertext privacy while the other is CCA secure without Ciphertext privacy.
Robert W Davies - One of the best experts on this subject based on the ideXlab platform.
-
private genomes and public snps homomorphic encryption of genotypes and phenotypes for shared quantitative genetics
Genetics, 2020Co-Authors: Richard Mott, Christian Fischer, Pjotr Prins, Robert W DaviesAbstract:Sharing human genotype and phenotype data is essential to discover otherwise inaccessible genetic associations, but is a challenge because of privacy concerns. Here, we present a method of homomorphic encryption that obscures individuals' genotypes and phenotypes, and is suited to quantitative genetic association analysis. Encrypted Ciphertext and unencrypted plaintext are analytically interchangeable. The encryption uses a high-dimensional random linear orthogonal transformation key that leaves the likelihood of quantitative trait data unchanged under a linear model with normally distributed errors. It also preserves linkage disequilibrium between genetic variants and associations between variants and phenotypes. It scrambles relationships between individuals: encrypted genotype dosages closely resemble Gaussian deviates, and can be replaced by quantiles from a Gaussian with negligible effects on accuracy. Likelihood-based inferences are unaffected by orthogonal encryption. These include linear mixed models to control for unequal relatedness between individuals, heritability estimation, and including covariates when testing association. Orthogonal transformations can be applied in a modular fashion for multiparty federated mega-analyses where the parties first agree to share a common set of genotype sites and covariates prior to encryption. Each then privately encrypts and shares their own Ciphertext, and analyses all parties' Ciphertexts. In the absence of private variants, or knowledge of the key, we show that it is infeasible to decrypt Ciphertext using existing brute-force or noise-reduction attacks. We present the method as a challenge to the community to determine its security.
-
private genomes and public snps homomorphic encryption of genotypes and phenotypes for shared quantitative genetics
bioRxiv, 2020Co-Authors: Richard Mott, Christian Fischer, Pjotr Prins, Robert W DaviesAbstract:Sharing human genotype and phenotype data presents a challenge because of privacy concerns, but is essential in order to discover otherwise inaccessible genetic associations. Here we present a method of homomorphic encryption that obscures individuals9 genotypes and phenotypes and is suited to quantitative genetic association analysis. Encrypted Ciphertext and unencrypted plaintext are interchangeable from an analytical perspective. This allows one to store Ciphertext on public web services and share data across multiple studies, while maintaining privacy. The encryption method uses as its key a high-dimensional random linear orthogonal transformation that leaves the likelihood of quantitative trait data unchanged under a linear model with normally distributed errors. It also preserves linkage disequilibrium between genetic variants and associations between variants and phenotypes. It scrambles relationships between individuals: encrypted genotype dosages closely resemble Gaussian deviates, and in fact can be replaced by quantiles from a Gaussian with only negligible effects on accuracy. Standard likelihood-based inferences are unaffected by orthogonal encryption. These include the use of mixed linear models to control for unequal relatedness between individuals, the estimation of heritability, and the inclusion of covariates when testing for association. Orthogonal transformations can also be applied in a modular fashion that permits multi-party federated mega-analyses. Under this scheme any number of parties first agree to share a common set of genotype sites and covariates prior to encryption. Each party then privately encrypts and shares their own Ciphertext, and analyses the other parties9 Ciphertexts. In the absence of private variants, or knowledge of the key, we show that it is infeasible to decrypt Ciphertext using existing brute-force or noise reduction attacks. Therefore, we present the method as a challenge to the community to determine its security.
Damien Vergnaud - One of the best experts on this subject based on the ideXlab platform.
-
lossy encryption constructions from general assumptions and efficient selective opening chosen Ciphertext security
International Conference on the Theory and Application of Cryptology and Information Security, 2011Co-Authors: Brett Hemenway, Rafail Ostrovsky, Benoît Libert, Damien VergnaudAbstract:Lossy encryption was originally studied as a means of achieving efficient and composable oblivious transfer. Bellare, Hofheinz and Yilek showed that lossy encryption is also selective opening secure. We present new and general constructions of lossy encryption schemes and of cryptosystems secure against selective opening adversaries. We show that every re-randomizable encryption scheme gives rise to efficient encryptions secure against a selective opening adversary. We show that statistically-hiding 2-round Oblivious Transfer implies Lossy Encryption and so do smooth hash proof systems. This shows that private information retrieval and homomorphic encryption both imply Lossy Encryption, and thus Selective Opening Secure Public Key Encryption. Applying our constructions to well-known cryptosystems, we obtain selective opening secure commitments and encryptions from the Decisional Diffie-Hellman, Decisional Composite Residuosity and Quadratic Residuosity assumptions. In an indistinguishability-based model of chosen-Ciphertext selective opening security, we obtain secure schemes featuring short Ciphertexts under standard number theoretic assumptions. In a simulation-based definition of chosen-Ciphertext selective opening security, we also handle non-adaptive adversaries by adapting the Naor-Yung paradigm and using the perfect zero-knowledge proofs of Groth, Ostrovsky and Sahai.
-
Unidirectional chosen-Ciphertext secure proxy re-encryption
IEEE Transactions on Information Theory, 2011Co-Authors: Benoît Libert, Damien VergnaudAbstract:In 1998, Blaze, Bleumer and Strauss introduced a cryptographic primitive called proxy re-encryption in which a proxy can transform—without seeing the plaintext—a Ciphertext encrypted under one key into an encryption of the same plaintext under another key. The concept has recently drawn renewed interest. Notably, Canetti and Hohenberger showed how to properly define (and realize) chosen-Ciphertext security for the primitive. Their system is bidirectional as the translation key allows converting Ciphertexts in both directions. This paper presents the first unidirectional proxy re-encryption schemes with chosen-Ciphertext security in the standard model (i.e., without the random oracle idealization). The first system provably fits a unidirectional extension of the Canetti–Hohenberger security model. As a second contribution, the paper considers a more realistic adversarial model where attackers may choose dishonest users' keys on their own. It is shown how to modify the first scheme to achieve security in the latter scenario. At a moderate expense, the resulting system provides additional useful properties such as non-interactive temporary delegations. Both constructions are efficient and rely on mild complexity assumptions in bilinear groups. Like the Canetti–Hohenberger scheme, they meet a relaxed flavor of chosen-Ciphertext security introduced by Canetti, Krawczyk and Nielsen.
-
mediated traceable anonymous encryption
International Conference on Progress in Cryptology, 2010Co-Authors: Malika Izabachène, David Pointcheval, Damien VergnaudAbstract:The notion of key privacy for asymmetric encryption schemes was formally defined by Bellare, Boldyreva, Desai and Pointcheval in 2001: it states that an eavesdropper in possession of a Ciphertext is not able to tell which specific key, out of a set of known public keys, is the one under which the Ciphertext was created. Since anonymity can be misused by dishonest users, some situations could require a tracing authority capable of revoking key privacy when illegal behavior is detected. Prior works on traceable anonymous encryption miss a critical point: an encryption scheme may produce a covert channel which malicious users can use to communicate illegally using Ciphertexts that trace back to nobody or, even worse, to some honest user. In this paper, we examine subliminal channels in the context of traceable anonymous encryption and we introduce a new primitive termed mediated traceable anonymous encryption that provides confidentiality and anonymity while preventing malicious users to embed subliminal messages in Ciphertexts. In our model, all Ciphertexts pass through a mediator (or possibly several successive mediators) and our goal is to design protocols where the absence of covert channels is guaranteed as long as the mediator is honest, while semantic security and key privacy hold even if the mediator is dishonest. We give security definitions for this new primitive and constructions meeting the formalized requirements. Our generic construction is fairly efficient, with Ciphertexts that have logarithmic size in the number of group members, while preventing collusions. The security analysis requires classical complexity assumptions in the standard model.
-
unidirectional chosen Ciphertext secure proxy re encryption
Public Key Cryptography, 2008Co-Authors: Benoît Libert, Damien VergnaudAbstract:In 1998, Blaze, Bleumer, and Strauss proposed a cryptographic primitive called proxy re-encryption, in which a proxy transforms - without seeing the corresponding plaintext - a Ciphertext computed under Alice's public key into one that can be opened using Bob's secret key. Recently, an appropriate definition of chosen-Ciphertext security and a construction fitting this model were put forth by Canetti and Hohenberger. Their system is bidirectional: the information released to divert Ciphertexts from Alice to Bob can also be used to translate Ciphertexts in the opposite direction. In this paper, we present the first construction of unidirectional proxy re-encryption scheme with chosen-Ciphertext security in the standard model (i.e. without relying on the random oracle idealization), which solves a problem left open at CCS'07. Our construction is efficient and requires a reasonable complexity assumption in bilinear map groups. Like the Canetti-Hohenberger scheme, it ensures security according to a relaxed definition of chosen-Ciphertext introduced by Canetti, Krawczyk and Nielsen.
