traceable group encryption
play

Traceable Group Encryption t Libert 1 Moti Yung 2 Marc Joye 1 Thomas - PowerPoint PPT Presentation

Apr 16, 2023 •10 likes •190 views

Traceable Group Encryption t Libert 1 Moti Yung 2 Marc Joye 1 Thomas Peters 3 Beno 1 Technicolor (France) 2 Google Inc. and Columbia University (USA) 3 UCL Crypto Group (Belgium) March 28, 2014 Buenos Aires B. Libert (Technicolor) PKC 2014

  1. Traceable Group Encryption ıt Libert 1 Moti Yung 2 Marc Joye 1 Thomas Peters 3 Benoˆ 1 Technicolor (France) 2 Google Inc. and Columbia University (USA) 3 UCL Crypto Group (Belgium) March 28, 2014 Buenos Aires B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 1 / 18

  2. Outline Group Encryption 1 Background and motivations Related Work Model and Syntax of Traceable Group Encryption 2 A Non-Interactive TGE Scheme in the Standard Model 3 Ingredients Outline of the scheme Underlying assumptions B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 2 / 18

  3. Group Encryption Kiayias-Tsiounis-Yung (Asiacrypt’07): encryption analogue of group signatures. Involves a group manager (GM) and an opening authority (OA). Sender CCA2-encrypts a message for a (certified) group member who remains anonymous in the CCA2-sense . . . . . . and generates a proof that the ciphertext is valid and intended for some certified group member the OA will be able to identify the receiver the plaintext is a witness satisfying some relation B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 3 / 18

  4. Group Encryption Applications: Sender can encrypt emails to anonymous organization members while appending proofs that the content is not a spam/malware Verifiable encryption of messages/keys to anonymous TTP ex.: International escrow system where users may prefer hiding their preferred TTP Oblivious retriever storage: server temporarily stores encrypted data for anonymous retrievers ex.: Asynchronous transfers of encrypted credentials / datasets via the cloud Group signatures with ad-hoc opening, hierarchical group signatures B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 4 / 18

  5. Group Encryption Related work: Kiayias-Tsiounis-Yung (Asiacrypt’07): - Modular design from key-private public key encryption, digital signatures, extractable commitments and ZK proofs - Efficient construction from Paillier; Proofs require either interaction or the ROM Qin et al. (Inscrypt’08): related primitive with better efficiency in the ROM under interactive assumptions Cathalo-Libert-Yung (Asiacrypt’09): construction with non-interactive proofs in the standard model Izabach` ene-Pointcheval-Vergnaud (Latincrypt’10): individual users’ traceability; removal of subliminal channels El Aimani-Joye (ACNS’13): optimized constructions with interactive or non-interactive proofs B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 5 / 18

  6. Group Encryption Almost all previous constructions require to open all ciphertexts to find those encrypted for a specific group member - Damaging to the privacy of well-behaved users - Tracing is an inherently sequential operation Exception: Izabach` ene-Pointcheval-Vergnaud (Latincrypt’10) gives individual traceability, but without explicit opening and only with IND-CPA security ⇒ Explicitly “opening” one ciphertext in a population of n users requires O ( n ) operations Need for a mechanism, akin to traceable signatures (Kiayias-Tsiounis-Yung, Eurocrypt’04), allowing to individually trace users This paper : primitive named Traceable Group Encryption, encryption analogue of traceable signatures B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 6 / 18

  7. Traceable Group Encryption Properties : Encryption analogue of traceable signatures (Kiayias-Tsiounis-Yung, Eurocrypt’04) Opening authority can release a user-specific trapdoor allowing to trace all ciphertexts encrypted for that user Honest users’ privacy is not affected Tracing operations can be delegated to clerks, running in parallel Users can claim their own ciphertexts and disclaim other ciphertexts Our Contribution : precise modeling, construction in the standard model B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 7 / 18

  8. Model of Traceable Group Encryption Involve a non-interactive ( i.e. , 2-round) join protocol Users generate their key pair on their own; no proof of knowledge of sk i and no rewind in security proofs Made possible using structure-preserving signatures (Abe et al. , Crypto’10) B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 8 / 18

  9. Model of Traceable Group Encryption Group Encryption syntax B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 9 / 18

  10. Model of Traceable Group Encryption Additional functionalities of Traceable Group Encryption Implicit tracing mechanism: Claiming capability: using sk i and a ciphertext ψ , user U i can generate a claim / disclaimer τ B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 10 / 18

  11. Security Model Message security : CCA2-security of honest receivers against colluding dishonest GM and OA Anonymity (a.k.a. key privacy): CCA2-anonymity of ciphertexts Preserved against dishonest GM Subsumes the CCA2-key privacy of the receiver’s encryption scheme . . . and the IND-CCA2 security of the OA’s encryption scheme Soundness : no coalition of OA with dishonest groups members can Produce a ciphertext ψ with a valid proof π such that Open ( ψ, sk OA ) = ⊥ Output a ciphertext-proof pair whose opening disagrees with the implicit tracing mechanism Claiming Soundness : users cannot disclaim their own ciphertexts or “hijack” other users’ ciphertexts B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 11 / 18

  12. Our Construction: Ingredients Assumes a common reference string (like [KTY07, CLY09,EAJ13]) Uses Groth-Sahai proof systems (Eurocrypt’08) and the Linear assumption Uses structure-preserving signatures (Abe et al. , Crypto’10) as membership certificates . . . and CCA2-secure public key encryption schemes: The Libert-Yung DLIN-based CCA2-secure cryptosystem (TCC’12): anonymity and built-in proofs of ciphertext validty Kiltz’s tag-based encryption scheme (publicly verifiable ciphertext validity) B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 12 / 18

  13. Our Construction: Outline Users’ keys are of the form pk = ( X 1 , X 2 , Γ 1 , Γ 2 ) = ( g x 1 1 g x 0 , g x 2 2 g x 0 , g γ 1 , g γ 2 ) ∈ G 4 GM holds a key pair ( sk GM , pk GM ) for a structure-preserving signature which allows certifying pk = ( X 1 , X 2 , Γ 1 , Γ 2 ) During the Join protocol, user sends a verifiable encryption Φ venc of trace i = g γ 1 γ 2 under pk OA , where ( g , Γ 1 , Γ 2 , g γ 1 γ 2 ) is a Diffie-Hellman tuple Each TGE ciphertext carries a traceability component g δ , Γ δ/ω , Γ ω � � ( T 1 , T 2 , T 3 ) = 1 2 such that trace i = g γ 1 γ 2 solves the CDH instance ( T 1 , T 2 , T 3 ) Ciphertext must include T 4 = (Λ VK · Λ 1 ) δ , where (SK , VK) allows one-time 0 signing the whole ciphertext B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 13 / 18

  14. Our Construction: Outline Each TGE ciphertext contains a traceability component g δ , Γ δ/ω � , Γ ω � ( T 1 , T 2 , T 3 ) = 1 2 such that trace i = g γ 1 γ 2 allows testing e ( T 1 , g γ 1 γ 2 ) = e ( T 2 , T 3 ) g δ , Γ δ/ω Using ( γ 1 , γ 2 ) ∈ Z 2 � , Γ ω � p , user can claim ( T 1 , T 2 , T 3 ) = by 1 2 computing T γ 1 1 such that e ( T γ 1 = Γ δ 1 , Γ 2 ) = e ( T 2 , T 3 ) 1 . . . and proving knowledge of g 1 /γ 1 using a Groth-Sahai CRS “bound” to the ciphertext (cf. Malkin-Teranishi-Vahlis-Yung, TCC’11) Disclaiming proceeds similary B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 14 / 18

  15. TGE Scheme for the Diffie-Hellman relation � � A scheme for the Diffie-Hellman relation R = { ( X , Y ) , W | e ( g , W ) = e ( X , Y ) } . Encryption phase: Sender encrypts W under pk i using a CCA2-anonymous encryption scheme . . . and pk i under pk OA using a CCA2-secure system Proof generation: Compute commitments to pk i and cert pk i Prove that (i) commitments contain a valid pair (pk i , cert pk i ); (ii) pk i is the key encrypted under pk OA ; (iii) consistency with traceability components Prove that W satisfies R B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 15 / 18

  16. Our Construction: Security Relies on the hardness of the following problem: ∈ G 8 and tuples a , b , ˜ � � The q -SFP Problem : given g z , h z , g r , h r , a , ˜ b { ( z j , r j , s j , t j , u j , v j , w j ) } q j =1 s.t. e ( a , ˜ a ) = e ( g z , z j ) · e ( g r , r j ) · e ( s j , t j ) e ( b , ˜ b ) = e ( h z , z j ) · e ( h r , u j ) · e ( v j , w j ) , find a new such tuple ( z ⋆ , r ⋆ , s ⋆ , t ⋆ , u ⋆ , v ⋆ , w ⋆ ) with z ⋆ � = 1 G The Decision Linear problem: given ( g , g 1 , g 2 , g a 1 , g b 2 , Z ), decide if Z = g a + b or Z ∈ R G The Decision 3 -party Diffie-Hellman assumption: given ( g , g a , g b , g c , η ) decide if η = g abc or η ∈ R G B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 16 / 18

  17. Summary Contributions : Security model for Traceable Group Encryption Efficient non-interactive construction in the standard model Ciphertexts and proofs fit within 2 . 18 kB and 9 . 38 kB at the 128-bit security level Open problems : Practical construction with shorter proofs Improve the efficiency for general pairing-product equation B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 17 / 18

  18. Thanks! B. Libert (Technicolor) PKC 2014 March 28, 2014 Buenos Aires 18 / 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about

Ruby Monstas Session 17: Interlude: Encryption Encryption What comes to mind if you think about encryption? Encryption Certificates Crypto Currencies Public Key AES Encryption Privacy SSH VPN HTTPS TLS Quantum Digital Signatures

837 views • 46 slides
Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ;

Authenticated Encryption Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp Motivation for Authenticated Encryption Authenticated Encryption (AE) m 1 m 2 Security goals: Confidentiality and integrity of messages

649 views • 60 slides
Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware

Usable Encryption Class Presentation for CMSC 818D Wei Bai S Application S Hardware Encryption S Web Encryption S Email Encryption OpenPGP S S/MIME S S Online Social Network Public Key Encryption S Encryption/Decryption

842 views • 26 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of

RSA Encryption 10 February 2012 RSA Encryption 10 February 2012 1/35 We saw some methods of encryption Wednesday, but none of these is good enough to be used in actual situations. Today well talk about one method, RSA Encryption, which is

1.01k views • 59 slides
Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse

Identity-based encryption and Generic group model (work in progress) Peeter Laud Arvutiteaduse teooriaseminar Tallinn, 05.01.2012 Identity-based encryption Public-key encryption, where public key = name no PKI necessary

815 views • 24 slides
Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods

Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods

Faculty of Information Engineering and Technology Advanced Encryption Standard (AES) AES Group March 3, 2019 Content 1 Introduction Methods AddRoundKey SubBytes ShiftRows MixColumns Key Expansion Conclusion AES Group | The Feather

926 views • 31 slides
Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Introduction Cubic Quartic Quintic Conclusion Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T. Zamfirescu Combinatorial Algorithms and Algorithmic Graph Theory Department of Applied

821 views • 42 slides
Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T.

Introduction Quartic Quintic Conclusion Non-Hamiltonian and Non-Traceable Regular 3-Connected Planar Graphs Nico Van Cleemput Carol T. Zamfirescu Combinatorial Algorithms and Algorithmic Graph Theory Department of Applied Mathematics,

673 views • 40 slides
Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a

Secret-Key Encryption Introduction Encryption is the process of encoding a message in such a way that only authorized parties can read the content of the original message History of encryption dates back to 1900 BC Two types of

533 views • 38 slides
Traceable Anonymous Certificate dra raft-ie ietf-pkix-tac-01.txt IE IETF-72 at t PKIX IX WG

Traceable Anonymous Certificate dra raft-ie ietf-pkix-tac-01.txt IE IETF-72 at t PKIX IX WG

Traceable Anonymous Certificate dra raft-ie ietf-pkix-tac-01.txt IE IETF-72 at t PKIX IX WG Park, SangHwan shpark@kisa.or.kr Stephen Kent kent@bbn.com Overview I-D defines a practical architecture and protocols for offering privacy in

275 views • 8 slides
Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure

Functional Encryption Lecture 27 Functional Encryption Plain encryption: for secure communication. Does not allow modifying encrypted data. Homomorphic Encryption: allows computation on encrypted data, but result remains encrypted Functional

987 views • 61 slides
Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2

Encryption at Rest in ZFS Tom Caputi tcaputi@datto.com Overview of Encryption Implementation 2 What is Encryption? Want to prevent someone (an attacker) from accessing private data Permissions arent good enough Root user can

788 views • 20 slides
Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption

Functional Encryption for Regular Languages Brent Waters Public Key Encryption [DH76,M78,RSA78,GM84] Avoid Prior Secret Exchange PubK SK 2 Functional Encryption [SW05] Functionality: f( , ) MSK Authority Key: y 2 {0,1}* y SK CT: x

945 views • 16 slides
Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

556 views • 12 slides
A Tour of Perl Testing A Tour of Perl Testing Perl agentzh@yahoo.cn

A Tour of Perl Testing A Tour of Perl Testing Perl agentzh@yahoo.cn

A Tour of Perl Testing A Tour of Perl Testing Perl agentzh@yahoo.cn (agentzh) 2009.9 Why testing? When things have gone wrong in collaboration... agentzh: With my patch in r2545, Jifty's I18N should work for

562 views • 54 slides
Don't Call Us, We'll Call You: Characterizing Callbacks in JavaScript Keheliya Gallaba, Ali

Don't Call Us, We'll Call You: Characterizing Callbacks in JavaScript Keheliya Gallaba, Ali

Don't Call Us, We'll Call You: Characterizing Callbacks in JavaScript Keheliya Gallaba, Ali Mesbah, Ivan Beschastnikh University of British Columbia 1 Why JavaScript? On the client 2 Why JavaScript? On the client On the server 3 Why

987 views • 63 slides
Anonymous Authorisation in Smart Environments Florian Baumann Chair for Network Architectures

Anonymous Authorisation in Smart Environments Florian Baumann Chair for Network Architectures

Anonymous Authorisation in Smart Environments Florian Baumann Chair for Network Architectures and Services Department for Computer Science Technische Universit at M unchen August 13, 2014 Florian Baumann: Anonymous Authorisation in

358 views • 21 slides
LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek,

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek,

LARIAT: Lincoln Adaptable Real-time Information Assurance Testbed Lee M. Rossey Jesse C. Rabek, Robert K. Cunningham, David J. Fried, Rich P. Lippmann, Marc A. Zissman RAID 2001 October 10, 2001 This work was sponsored by the United States

314 views • 27 slides
Beyond Vanilla LTP Spike-timing-dependent-plasticity or STDP Hebbian learning rule aSN W

Beyond Vanilla LTP Spike-timing-dependent-plasticity or STDP Hebbian learning rule aSN W

Beyond Vanilla LTP Spike-timing-dependent-plasticity or STDP Hebbian learning rule aSN W MN,aSN MN learning threshold under which LTD can occur w ij = x j (v i - ) Stimulation electrode Recording electrode (extracellular) R di l

825 views • 43 slides
-Presence M. Ercan Nergiz Maurizio Atzori Chris Clifton Pisa KDD Lab Outline Adversary

-Presence M. Ercan Nergiz Maurizio Atzori Chris Clifton Pisa KDD Lab Outline Adversary

C onsiglio N azionale delle R icerche Hiding the Presence of Individuals from Shared Databases: -Presence M. Ercan Nergiz Maurizio Atzori Chris Clifton Pisa KDD Lab Outline Adversary Models Existential Uncertainty Model

815 views • 22 slides
The Hidden Cost of Violent Confmict: Sorting into Local Labor Markets A Field Experiment in

The Hidden Cost of Violent Confmict: Sorting into Local Labor Markets A Field Experiment in

The Hidden Cost of Violent Confmict: Sorting into Local Labor Markets A Field Experiment in Colombia May 4, 2019 1 IHS, Vienna 2 University of Gttingen 3 DICE, University of Dsseldorf 1 / 25 Kerstin Grosch 1 Marcela Ibanez 2 Gerhard Riener 3

704 views • 25 slides
Diffusion and Strategic Interaction on Social Networks Leeat Yariv Summer School in Algorithmic

Diffusion and Strategic Interaction on Social Networks Leeat Yariv Summer School in Algorithmic

Diffusion and Strategic Interaction on Social Networks Leeat Yariv Summer School in Algorithmic Game Theory, Part1, 8.6.2012 Why Networks Matter 15 th Century Florentine Marriages (Padgett and Ansell, 1993) Why Networks Matter Florence

1.41k views • 108 slides

More recommend