Remarks on the Cryptographic Primitive of Attribute-based Encryption

Attribute-based encryption (ABE) which allows users to encrypt and decrypt messages based on user attributes is a type of one-to-many encryption. Unlike the conventional one-to-one encryption which has no intention to exclude any partners of the intended receiver from obtaining the plaintext, an ABE system tries to exclude some unintended recipients from obtaining the plaintext whether they are partners of some intended recipients. We remark that this requirement for ABE is very hard to meet. An ABE system cannot truly exclude some unintended recipients from decryption because some users can exchange their decryption keys in order to maximize their own interests. The flaw discounts the importance of the cryptographic primitive.Comment: 9 pages, 4 figure

Provisional Access Control Model for Mobile Ad-Hoc Environments: Application to Mobile Electronic Commerce

Role-based Access Control (RBAC) became popular because it can handle the complicated enterprise-wide access requests while traditional access control models such as mandatory access control and discretionary access control cannot. However, it is not suitable for a mobile environment because (i) there is no central trusted authentication entity that activates each user’s roles, (ii) there are not many roles involved in such environment, and (iii) access control decisions depend on specific actions to be performed before the decision is taken. In this paper, we introduce a provisional authorization model with location-based predicates embedded in the policy specification languages. It includes three classes of location-based conditions such as position-based, movement-based, and interaction-based conditions. As a result, users can specify their own privacy/security policies in a mobile ad-hoc environment such as mobile auction markets

Analysis of Lewko-Sahai-Waters Revocation System

In 2010, Lewko, Sahai and Waters proposed an efficient revocation system but they neglected the security differences between one-to-one encryption and one-to-many encryption. In their system, an authority generates all users\u27 decryption keys once and for all. We remark that the inherent drawback results in that the system is vulnerable to an attack launched by some malicious users. These malicious users could exchange their decryption keys after they receive them from the authority in order to maximize their own interests. Thus, the Lewko-Sahai-Waters revocation system cannot truly revoke a malicious user. From the practical point of view, the flaw discounts greatly the importance of the system

On the Security of Fully Collusion Resistant Traitor Tracing Schemes

This paper investigates the security of FTT (fully collusion resistant traitor tracing) schemes in terms of DOT (Denial Of Tracing) and framing. With DOT attack, a decoder is able to detect tracing activity, and then prolongs the tracing process such that the tracer is unable to complete tracing job in a realistic time duration and hence has to abort his effort. On the other hand, by merely embedding several bytes of non-volatile memory in the decoder, we demonstrate, for the FTT schemes, how the decoder can frame innocent users at will. Furthermore, we propose a countermeasure on the framing attack

A note on the security of KHL scheme

Agency for Science, Technology and Research (A*STAR

Bounded-Collusion IBE from Key Homomorphism

In this work, we show how to construct IBE schemes that are secure against a bounded number of collusions, starting with underlying PKE schemes which possess linear homomorphisms over their keys. In particular, this enables us to exhibit a new (bounded-collusion) IBE construction based on the quadratic residuosity assumption, without any need to assume the existence of random oracles. The new IBE’s public parameters are of size O(tλlogI) where I is the total number of identities which can be supported by the system, t is the number of collusions which the system is secure against, and λ is a security parameter. While the number of collusions is bounded, we note that an exponential number of total identities can be supported. More generally, we give a transformation that takes any PKE satisfying Linear Key Homomorphism, Identity Map Compatibility, and the Linear Hash Proof Property and translates it into an IBE secure against bounded collusions. We demonstrate that these properties are more general than our quadratic residuosity-based scheme by showing how a simple PKE based on the DDH assumption also satisfies these properties.National Science Foundation (U.S.) (NSF CCF-0729011)National Science Foundation (U.S.) (NSF CCF-1018064)United States. Defense Advanced Research Projects Agency (DARPA FA8750-11-2-0225

On the mean number of encryptions for tree-based broadcast encryption schemes

AbstractThe challenge of stateless-receiver broadcast encryption lies in minimizing storage and the number of encryptions while maintaining system security. Tree-based key distribution schemes offer the best known trade-off between the two parameters. Examples include the complete subtree scheme [D. Wallner, et al., Internet draft, http://www.ietf.org/ID.html [10]; C.K. Wong, et al., in: Proc. SIGCOMM, 1998, pp. 68–79 [11]], the subset difference scheme [D. Naor, et al., in: CRYPTO 2001, Lecture Notes in Comput. Sci., vol. 2139, 2001, pp. 41–62 [7]], and the layered subset difference scheme [D. Halevy, A. Shamir, in: CRYPTO 2002, Lecture Notes in Comput. Sci., vol. 2442, 2002, pp. 47–60 [5]]. We introduce generating functions for this family of schemes, which lead to analysis of the mean number of encryptions over all privileged sets of users. We also derive the mean number of encryptions when the number of privileged users is fixed. We expect that the techniques introduced as well as the results in this work will find applications in related areas

Mergeable and revocable identity-based encryption

Identity-based encryption (IBE) has been extensively studied and widely used in various applications since Boneh and Franklin proposed the first practical scheme based on pairing. In that seminal work, it has also been pointed out that providing an efficient revocation mechanism for IBE is essential. Hence, revocable identity-based encryption (RIBE) has been proposed in the literature to offer an efficient revocation mechanism. In contrast to revocation, another issue that will also occur in practice is to combine two or multiple IBE systems into one system, e.g., due to the merge of the departments or companies. However, this issue has not been formally studied in the literature and the naive solution of creating a completely new system is inefficient. In order to efficiently address this problem, in this paper we propose the notion of mergeable and revocable identity-based encryption (MRIBE). Our scheme provides the first solution to efficiently revoke users and merge multiple IBE systems into a single system. The proposed scheme also has several nice features: when two systems are merged, there is no secure channel needed for the purpose of updating user private keys; and the size of the user private key remains unchanged when multiple systems are merged. We also propose a new security model for MRIBE, which is an extension of the security model for RIBE, and prove that the proposed scheme is semantically secure without random oracles

Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time (Version 2)

In this paper we propose two public key BE schemes that have efficient complexity measures. The first scheme, called the PBE-PI scheme, has $O(r)$ header size, $O(1)$ public keys and $O(\log N)$ private keys per user, where $r$ is the number of revoked users. This is the first public key BE scheme that has both public and private keys under $O(\log N)$ while the header size is $O(r)$. These complexity measures match those of efficient secret key BE schemes. \par Our second scheme, called the PBE-SD-PI scheme, has $O(r)$ header size, $O(1)$ public key and $O(\log N)$ private keys per user also. However, its decryption time is remarkably $O(1)$. This is the first public key BE scheme that has $O(1)$ decryption time while other complexity measures are kept low. Overall, this is the most efficient public key BE scheme up to now. \par Our basic schemes are one-way secure against {\em full collusion of revoked users} in the random oracle model under the BDH assumption. We modify our schemes to have indistinguishably security against adaptive chosen ciphertext attacks