TY - GEN
T1 - Public-key encryption in the bounded-retrieval model
AU - Alwen, Joël
AU - Dodis, Yevgeniy
AU - Naor, Moni
AU - Segev, Gil
AU - Walfish, Shabsi
AU - Wichs, Daniel
N1 - Copyright:
Copyright 2010 Elsevier B.V., All rights reserved.
PY - 2010
Y1 - 2010
N2 - We construct the first public-key encryption scheme in the Bounded-Retrieval Model (BRM), providing security against various forms of adversarial "key leakage" attacks. In this model, the adversary is allowed to learn arbitrary information about the decryption key, subject only to the constraint that the overall amount of "leakage" is bounded by at most ℓ bits. The goal of the BRM is to design cryptographic schemes that can flexibly tolerate arbitrarily leakage bounds ℓ (few bits or many Gigabytes), by only increasing the size of secret key proportionally, but keeping all the other parameters - including the size of the public key, ciphertext, encryption/decryption time, and the number of secret-key bits accessed during decryption - small and independent of ℓ. As our main technical tool, we introduce the concept of an Identity-Based Hash Proof System (IB-HPS), which generalizes the notion of hash proof systems of Cramer and Shoup [CS02] to the identity-based setting. We give three different constructions of this primitive based on: (1) bilinear groups, (2) lattices, and (3) quadratic residuosity. As a result of independent interest, we show that an IB-HPS almost immediately yields an Identity-Based Encryption (IBE) scheme which is secure against (small) partial leakage of the target identity's decryption key. As our main result, we use IB-HPS to construct public-key encryption (and IBE) schemes in the Bounded-Retrieval Model.
AB - We construct the first public-key encryption scheme in the Bounded-Retrieval Model (BRM), providing security against various forms of adversarial "key leakage" attacks. In this model, the adversary is allowed to learn arbitrary information about the decryption key, subject only to the constraint that the overall amount of "leakage" is bounded by at most ℓ bits. The goal of the BRM is to design cryptographic schemes that can flexibly tolerate arbitrarily leakage bounds ℓ (few bits or many Gigabytes), by only increasing the size of secret key proportionally, but keeping all the other parameters - including the size of the public key, ciphertext, encryption/decryption time, and the number of secret-key bits accessed during decryption - small and independent of ℓ. As our main technical tool, we introduce the concept of an Identity-Based Hash Proof System (IB-HPS), which generalizes the notion of hash proof systems of Cramer and Shoup [CS02] to the identity-based setting. We give three different constructions of this primitive based on: (1) bilinear groups, (2) lattices, and (3) quadratic residuosity. As a result of independent interest, we show that an IB-HPS almost immediately yields an Identity-Based Encryption (IBE) scheme which is secure against (small) partial leakage of the target identity's decryption key. As our main result, we use IB-HPS to construct public-key encryption (and IBE) schemes in the Bounded-Retrieval Model.
UR - http://www.scopus.com/inward/record.url?scp=77954650592&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77954650592&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-13190-5_6
DO - 10.1007/978-3-642-13190-5_6
M3 - Conference contribution
AN - SCOPUS:77954650592
SN - 3642131891
SN - 9783642131899
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 113
EP - 134
BT - Advances in Cryptology - Eurocrypt 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Proceedings
T2 - 29th in the Series of EuropeanConferences on the Theory and Application of Cryptographic Techniques, Eurocrypt 2010
Y2 - 30 May 2010 through 3 June 2010
ER -