• PDF / 501,246 Bytes
• 19 Pages / 430 x 660 pts Page_size
• 27 Downloads / 185 Views

DOWNLOAD

REPORT

Computer Science and Engineering, University of Connecticut Storrs, CT, USA [email protected] 2 BQuotes, New York, NY, USA [email protected] 3 Google and Computer Science, Columbia University New York, NY, USA [email protected]

Abstract. We present group encryption, a new cryptographic primitive which is the encryption analogue of a group signature. It possesses similar verifiability, security and privacy properties, but whereas a group signature is useful whenever we need to conceal the source (signer) within a group of legitimate users, a group encryption is useful whenever we need to conceal a recipient (decryptor) within a group of legitimate receivers. We introduce and model the new primitive and present sufficient as well as necessary conditions for its generic implementation. We then develop an efficient novel number theoretic construction for group encryption of discrete logarithms whose complexity is independent of the group size. As part of achieving this we construct a new public-key encryption for discrete logarithms that satisfies CCA2-key-privacy and CCA2security in the standard model (this gives the first Pailler-based system with the above two properties proven in the standard model). Applications of group encryption include settings where a user wishes to hide her preferred trusted third party or even impose a hidden hierarchy of trusted parties while being required to assure well-formed ciphertexts, as well as oblivious storage settings where the set of retrievers need to be verifiable but the storage distribution should be oblivious to the server.

1

Introduction

Group signatures were introduced in [22] and further developed in a line of works, e.g., [23,20,17,18,11,36,4,3,14,6,33,8,16,7,34,2,43,9,35,30]. In a nutshell a group signature allows a registered member of a PKI (a.k.a. a group of registered users) to issue a signature on behalf of the group so that the issuer’s identity is assured to be valid but is hidden from the verifier. After its introduction, the primitive has found numerous applications. In this work we introduce a novel cryptographic primitive that is the encryption analogue of a group signature; we call it group encryption (not to be confused with group-oriented cryptography as in [26,12], which is essentially threshold cryptosystems). A group encryption scheme allows a sender to prepare a ciphertext and convince a verifier that it can be decrypted by a member K. Kurosawa (Ed.): ASIACRYPT 2007, LNCS 4833, pp. 181–199, 2007. c International Association for Cryptology Research 2007 

182

A. Kiayias, Y. Tsiounis, and M. Yung

of a given PKI group. As in group signature, in a group encryption there can be an opening authority that can, reveal the identity of the group member who is the recipient of the ciphertext when the appropriate circumstances are triggered. Note that group encryption provides “receiver anonymity” in the same way that group signature provides “sender anonymity.” Nevertheless, this primitive was never considered in the group-signature literature before, ev

Recommend Documents

Efficient Anonymous Multi-group Broadcast Encryption

180 77 10MB

General Impossibility of Group Homomorphic Encryption in the Quantum World

191 2 8MB

Encryption

152 32 2MB

ENCRYPTION

177 31 525KB

Anonymous End to End Encryption Group Messaging Protocol Based on Asynchronous Ratchet Tree

166 107 30MB

Homomorphic Encryption

162 42 14MB

Zero-Knowledge Arguments for Matrix-Vector Relations and Lattice-Based Group Encryption

125 78 32MB

Towards Constructing Fully Homomorphic Encryption without Ciphertext Noise from Group Theory

142 97 8MB

Multimedia Encryption

161 60 27MB

Asymmetric Encryption

178 50 5MB

Encryption, Biometric

159 49 2MB

Symmetric Encryption

176 18 2MB