LNCS 9879 Ioannis Askoxylakis Sotiris Ioannidis Sokratis Katsikas Catherine Meadows (Eds.) Computer Security – ESORICS 2016 21st European Symposium on Research in Computer Security Heraklion, Greece, September 26–30, 2016, Proceedings, Part II 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 9879 More information about this series at http://www.springer.com/series/7410 Ioannis Askoxylakis Sotiris Ioannidis Sokratis Katsikas Catherine Meadows (Eds.) • • Computer Security – ESORICS 2016 21st European Symposium on Research in Computer Security Heraklion, Greece, September 26–30, 2016 Proceedings, Part II 123 Editors Ioannis Askoxylakis Institute of Computer Science Foundation for Research and Technology - Hellas Heraklion Greece Sotiris Ioannidis Institute of Computer Science Foundation for Research and Technology - Hellas Heraklion Greece Sokratis Katsikas Norwegian University of Science and Technology Gjøvik Norway Catherine Meadows Naval Research Laboratory Washington, DC USA ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-45740-6 ISBN 978-3-319-45741-3 (eBook) DOI 10.1007/978-3-319-45741-3 Library of Congress Control Number: 2016950583 LNCS Sublibrary: SL4 – Security and Cryptology © Springer International Publishing Switzerland 2016 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made Printed on acid-free paper This Springer imprint is published by Springer Nature The registered company is Springer International Publishing AG Switzerland Preface This volume contains papers selected for presentation and publication at the 21st European Symposium on Research in Computer Security, ESORICS, held September 26–30, in Heraklion, Greece Out of 285 submissions from 40 countries, the conference accepted 60 papers, resulting in an acceptance rate of 21 % These papers cover a wide range of topics in security and privacy, including data protection, systems security, network security, access control, authentication, and security in such emerging areas as cloud computing, cyber-physical systems, and the Internet of Things The papers were reviewed and then discussed online by a 105-member Program Committee, along with 313 external reviewers ESORICS 2016 would not have been possible without the contributions of the many volunteers who devoted their time and energy to make this happen We would like to thank the Program Committee and the external reviewers for their hard work in evaluating the papers We would also like to thank the ESORICS Steering Committee and its Chair Pierangela Samarati; the Publicity Chairs, Manolis Stamatogiannakis and Youki Kadobayashi; the Local Arrangement Committee, Nikolaos Petroulakis, Andreas Miaoudakis, and Panos Chatziadam, for arranging the beautiful location in Crete; the workshop chair, Javier Lopez, and all workshop co-chairs, who organized workshops co-located with ESORICS We also give thanks to the many institutions for their support of ESORICS: the Horizon 2020 projects SHARCS and Virtuwind, the Hellenic Authority for Communication Security and Privacy (ADAE), the European Agency for Network and Information Security (ENISA), Huawei Technologies Co., Bournemouth University, and the CIPSEC project Finally, we would like to give our thanks to the authors who submitted their papers to ESORICS They, more than anyone else, are what makes this conference possible Welcome to ESORICS 2016! July 2016 Ioannis Askoxylakis Sotiris Ioannidis Sokratis Katsikas Catherine Meadows Organization General Chairs Ioannis Askoxylakis Sotiris Ioannidis Hellenic Authority for Communication Security and Privacy (ΑDΑΕ) & FORTH, Greece FORTH, Greece Program Chairs Sokratis K Katsikas Catherine Meadows Norwegian University of Science and Technology, Norway Naval Research Laboratory, USA Workshops Chair Javier Lopez University of Malaga, Spain Program Committee Gail-Joon Ahn Magnus Almgren Manos Antonakakis Alessandro Armando Michael Backes Giampaolo Bella Carlo Blundo Stefan Brunthaler Rainer Böhme Christian Cachin Liqun Chen Tom Chothia Sherman S.M Chow Cas Cremers Frédéric Cuppens Nora Cuppens-Boulahia Mads Dam Sabrina De Capitani di Vimercati Hervé Debar Roberto Di Pietro Arizona State University, USA Chalmers University of Technology, Sweden Georgia Institute of Technology, USA DIBRIS - University of Genoa, Italy Saarland University and Max Planck Institute for Software Systems, Germany Università degli studi di Catania, Italy Università degli Studi di Salerno, Italy SBA Research, Austria University of Innsbruck, Austria IBM Research - Zurich, Switzerland Hewlett Packard Labs, UK University of Birmingham, UK Chinese University of Hong Kong, Hong Kong University of Oxford, UK Telecom Bretagne, France Telecom Bretagne, France KTH, Sweden Università degli Studi di Milano, Italy Télécom SudParis, France Bell Labs, France VIII Organization Josep Domingo-Ferrer Pavlos Efraimidis Hannes Federrath Bao Feng Simone Fischer-Hübner Riccardo Focardi Simon Foley Sara Foresti Katrin Franke Felix Freiling Dieter Gollmann Dimitris Gritzalis Stefanos Gritzalis Joshua Guttman Gerhard Hancke Marit Hansen Feng Hao Xinyi Huang Michael Huth Aaron D Jaggard Sushil Jajodia Vasilios Katos Dogan Kesdogan Kwangjo Kim Steve Kremer Ralf Küsters Junzuo Lai Costas Lambrinoudakis Peeter Laud Adam J Lee Ninghui Li Yingjiu Li Antonio Lioy Peng Liu Javier Lopez Pratyusa K Manadhata Luigi V Mancini Heiko Mantel Olivier Markowitch Fabio Martinelli Antonio Maña John Mitchell Universitat Rovira i Virgili, Spain Democritus University of Thrace, Greece University of Hamburg, Germany Huawei, China Karlstad University, Sweden Università Ca’ Foscari, Italy University College Cork, Ireland Università degli Studi di Milano, Italy Norwegian University of Science and Technology, Norway Friedrich-Alexander-Universität Erlangen-Nürnberg, Germany Hamburg University of Technology, Germany Athens University of Economics and Business, Greece University of the Aegean, Greece Worcester Polytechnic Institute & MITRE, USA City University of Hong Kong, China Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, Germany Newcastle University, UK Fujian Normal University, China Imperial College London, UK U.S Naval Research Laboratory, USA George Mason University, USA Bournemouth University, UK Universität Regensburg, Germany Korea Advanced Institute of Science and Technology-KAIST, South Korea Inria Nancy - Grand Est, France University of Trier, Germany Singapore Management University, Singapore University of Piraeus, Greece Cybernetica AS, Estonia University of Pittsburgh, USA Purdue University, USA Singapore Management University, Singapore Politecnico di Torino, Italy The Pennsylvania State University, USA University of Malaga, Spain Hewlett-Packard Laboratories, USA Università di Roma “La Sapienza”, Italy TU Darmstadt, Germany Université Libre de Bruxelles (ULB), Belgium IIT-CNR, Italy University of Malaga, Spain Stanford University, USA Organization Aikaterini Mitrokotsa Refik Molva Charles Morisset Flemming Nielson Rolf Oppliger Stefano Paraboschi Dusko Pavlovic Roberto Perdisci Olivier Pereira Günther Pernul Wolter Pieters Michalis Polychronakis Joachim Posegga Kui Ren Mark Ryan Peter Y.A Ryan Andrei Sabelfeld Rei Safavi-Naini Pierangela Samarati Ravi Sandhu Ralf Sasse Nitesh Saxena Andreas Schaad Steve Schneider Joerg Schwenk Basit Shafiq Ben Smyth Einar Snekkenes Willy Susilo Krzysztof Szczypiorski A Min Tjoa Aggeliki Tsohou Jaideep Vaidya Vijay Varadharajan Luca Viganò Michael Waidner Cong Wang Edgar Weippl Christos Xenakis Meng Yu Ben Zhao Jianying Zhou Sencun Zhu IX Chalmers University of Technology, Sweden EURECOM, France Newcastle University, UK Technical University of Denmark, Denmark eSECURITY Technologies, Switzerland Università di Bergamo, Italy University of Hawaii, USA University of Georgia, USA Université catholique de Louvain, Belgium Universität Regensburg, Germany Delft University of Technology, The Netherlands Stony Brook University, USA University of Passau, Germany State University of New York at Buffalo, USA University of Birmingham, UK University of Luxembourg, Luxembourg Chalmers University of Technology, Sweden University of Calgary, Canada Università degli Studi di Milano, Italy University of Texas at San Antonio, USA ETH Zürich, Switzerland University of Alabama at Birmingham, USA Huawei European Research Center, Germany University of Surrey, UK Ruhr-Universität Bochum, Germany Lahore University of Management Sciences, Pakistan Huawei, France Norwegian University of Science and Technology, Norway University of Wollongong, Australia Warsaw University of Technology, Poland Vienna University of Technology, Austria Ionian University, Greece Rutgers University, USA Macquarie University, Australia King’s College London, UK Fraunhofer SIT and TU Darmstadt, Germany City University of Hong Kong, China SBA Research, Austria University of Piraeus, Greece University of Texas at San Antonio, USA University of California at Santa Barbara, USA Institute for Infocomm Research, Singapore The Pennsylvania State University, USA X Organization Additional Reviewers Ahmed, Tahmina Akand, Mamun Ali, Mohammed Aliberti, Giulio Aminanto, Muhamad Erza Anagnostopoulos, Marios Anand, S Abhishek Asghari, Hadi Asif, Hafiz Axelsson, Stefan Bacis, Enrico Balliu, Musard Bardas, Alexandru G Batten, Ian Baumann, Christoph Bayou, Lyes Bello, Luciano Berrang, Pascal Bhatt, Sandeep Biswas, Bhaskar Blanco-Justicia, Alberto Bruni, Alessandro Bugiel, Sven Calzavara, Stefano Carbone, Roberto Carmichael, Peter Cha, Sang Gil Chang, Bing Chen, Ping Chen, Rongmao Cheng, Yuan Choi, Rakyong Chu, Cheng Kang Chu, Cheng-Kang Ciampi, Michele Cianfriglia, Marco Clarke, Dylan Cohn-Gordon, Katriel Coletta, Alessio Costa, Gabriele Costantino, Gianpiero Cuvelier, Edouard Dai, Ting Davies, Philip De Gaspari, Fabio De Meo, Federico Dehnel-Wild, Martin Denzel, Michael Dimitriadis, Antonios Djoko, Judicael Dreier, Jannik Drogkaris, Prokopios Drosatos, George Elkhiyaoui, Kaoutar Emms, Martin Engelke, Toralf Espes, David Fahl, Sascha Farràs, Oriol Fett, Daniel Fuchs, Ludwig Garratt, Luke Garrison, William Gay, Richard Geneiatakis, Dimitris Georgiopoulou, Zafeiroula Giannetsos, Thanassis Giustolisi, Rosario Gottschlich, Wolfram Grohmann, Bjoern Guan, Le Guanciale, Roberto Guarnieri, Marco Gupta, Maanak Gyftopoulos, Sotirios Hallberg, Sven M Hallgren, Per Han, Jinguang Hassan, Sabri Haupert, Vincent He, Yongzhong Hedin, Daniel Henricksen, Matt Hitaj, Briland Horst, Matthias Hu, Wenhui Huang, Heqing Huang, Qiong Hummer, Matthias Iliadis, John Imran-Daud, Malik Iovino, Vincenzo Iwaya Horn, Leonardo Jackson, Dennis Jager, Tibor Jarecki, Stanislaw Jasser, Stefanie Jiang, Hemin Journault, Anthony Kamm, Liina Kandias, Miltos Karegar, Farzaneh Karopoulos, George Koshutanski, Hristo Koutsiamanis, Remous Aris Krishnan, Ram Kuchta, Veronika Kunz, Michael Kywe, Su Mon Köhler, Olaf Markus Lai, Russell W.F Lancrenon, Jean Laube, Stefan Lauer, Sebastian Leichter, Carl Lerman, Liran Li, Depeng Li, Yan Li, Yuping Lim, Hoon Wei Lindemann, Jens Lindner, Andreas Liu, Jianghua Liu, Naiwei 594 W Liu et al Pn+d (EN (x1 ), OR(y1 , y2 )) = Pn (x1 , y1 ), Pn+d (ED(x2 ), OR(y1 , y2 )) = Pd (x2 , y2 ) 2.2 Definition of Public-Verifiability We review the public-verifiability of a LU-PIP-KEM scheme This property was first defined in the IBE setting [16] and then be extended to FE settings by Yamada et al [37] Intuitively, a LU-PIP-KEM has public-verifiability if there exists a public verification mechanism to verify whether a given ciphertext is honestly generated As remarked by Abdalla et al [1], any encryption schemes with public-verifiability cannot be anonymous (or known as Private Index Predicate Encryption [6]) Hence, public-verifiability can only be achieved in PIPE, which is also the focus of this paper To define public-verifiability, we introduce a polynomial time algorithm Verify or ← Verify(pp, cty , y) Take as inputs the public parameter pp and a ciphertext cty ∈ {0, 1}∗ under a ciphertext attribute y ∈ En It outputs or Verify needs to satisfy that for all (key, cty ) ∈ S[Encrypt(pp, y, Ry )], it holds / S[Encrypt(pp, y, Ry )], it must that Verify(pp, cty , y) = 1, while for all (key, cty ) ∈ have that Verify(pp, cty , y) = except with a negligible probability Definition A LU-PIP-KEM scheme is said to have public-verifiability if there exists an algorithm Verify in the LU-PIP-KEM scheme satisfying the completeness requirement defined above Modelling OO-PIPE We formally define OO-PIPE in the KEM setting An OO-PIP-KEM scheme consists of five polynomial time algorithms OO.Setup, OO.KeyGen, OO.OffEncrypt, OO.OnEncrypt and OO.Decrypt The definitions of OO.Setup and OO.KeyGen are identical to those of LU-PIP-KEM systems shown in Sect 2.1 The others are defined as follows ict ← OO.OffEncrypt(pp) Only take as input the public parameter pp and outputs an intermediate ciphertext ict (key, cty ) ← OO.OnEncrypt(pp, y, ict) Take as inputs the public parameter pp, a target ciphertext attribute y ∈ En , and an intermediate ciphertext ict It outputs a session key key and a ciphertext cty associated with y key ← OO.Decrypt(pp, cty , y, skx , x) Take as inputs the public parameter pp, a ciphertext cty associated with the ciphertext attribute y ∈ En , and a secret key skx associated with the key attribute x ∈ Kn It outputs the session key key The correctness requires that for all (msk, pp) ← OO.Setup(λ, n), all x ∈ Kn , all skx ← OO.KeyGen(pp, msk, x), all ict ← OO.OffEncrypt(pp), all y ∈ En , and all (key, cty ) ← OO.OnEncrypt(pp, y, ict), if Pn (x, y) = 1, then we have that Online/Offline Public-Index Predicate Encryption 595 OO.Decrypt(pp, cty , y, skx , x) = key; else if Pn (x, y) = 0, then we have that OO.Decrypt(pp, cty , y, skx , x) = ⊥ except with a negligible probability We next define chosen ciphertext security in OO-PIP-KEM The security model is similarly defined through a game played between an adversary A and a challenger C, both of which are given the parameter λ and the dimension n of the predicate as inputs Setup C runs OO.Setup to generate public parameter pp and sends it to A Phase A adaptively issues queries: – Secret Key Query A submits a key attribute x ∈ Kn to C C generates and gives a secret key skx for x to A – Decryption Query A submits a ciphertext cty with ciphertext attribute y ∈ En to C C constructs a key attribute x ∈ Kn with Pn (x, y) = 1, and runs OO.KeyGen(pp, msk, x) to generate a secret key skx It then runs OO.Decrypt(pp, cty , y, skx , x) and returns the decryption result to A Challenge A outputs a challenge ciphertext attribute y ∗ ∈ En on which it wishes to be challenged The challenge ciphertext attribute y ∗ must satisfy that Pn (x, y ∗ ) = for any x that A queried for the secret key skx C generates a session key key ∗ and a ciphertext ct∗ under the challenge attribute y ∗ Then, it flips a random coin b ∈ {0, 1} If b = 0, C returns (key ∗ , ct∗ ) to A Otherwise, it ∗ ∗ and returns (keyR , ct∗ ) to A randomly selects a session key keyR Phase A further adaptively issues the following two kinds of queries: – Secret Key Query for key attributes x ∈ Kn satisfying Pn (x, y ∗ ) = – Decryption Query for the ciphertext cty with a constraint that cty = ct∗ C responds the same as in Phase Guess Finally, A outputs a guess b ∈ {0, 1} and wins in the game if b = b The advantage of A who issues qS secret key queries and qD decryption queries in attacking the OO-PIP-KEM system with security parameter λ is OO-PIP-KEM (λ) = Pr[b = b] − 12 defined as AdvA,q S ,qD Definition An OO-PIP-KEM system is CCA2-secure if for any polynomial time adversary A who makes a total of qS secret key queries and qD decryption queries, the advantage of winning the security game defined above is at most OO-PIP-KEM (λ) < negligible function in λ, i.e., AdvA,q S ,qD The CPA security for OO-PIP-KEM system can also be defined as in the preceding game, with a constraint that A is not allowed to issue decryption queries in Phase and Phase Definition An OO-PIP-KEM system is CPA-secure if for any polynomial time adversary A who makes a total of qS secret key queries and no decryption query, the advantage of winning the security game defined above is at most OO-PIP-KEM (λ) < negligible function in λ, i.e., AdvA,q S ,0 596 W Liu et al Similar to LU-PIP-KEM, the selective security of an OO-PIP-KEM system can be defined in the above game by adding an Init phase before Setup phase A must decide the challenge ciphertext attribute y ∗ ∈ En in the Init phase CPA-secure OO-PIP-KEM from LU-PIP-KEM The major challenge in constructing OO-PIP-KEM is that in the offline phase, the encryptor cannot know the ciphertext attribute that a ciphertext will be associated with We manage to overcome this challenge by identifying a useful property, i.e., attribute-malleability, in many LU-PIPE schemes Coarsely speaking, a LU-PIP-KEM scheme has attribute-malleability if an encryptor can malleate a ciphertext ctori associated with an original ciphertext attribute yori to a new ciphertext ctnew associated with a new ciphertext attribute ynew with the same session key key The ones who have the secret key skx with key attribute x satisfying P (x, ynew ) = can also correctly decrypt ctnew to recover key The attribute-malleability enables an encryptor to prepare the ciphertext without knowing the associated ciphertext attribute In the offline phase, the encryptor randomly chooses a ciphertext attribute yori , and encapsulates a session key key under that ciphertext attribute to generate a ciphertext ctori When the target ciphertext attribute y is available to the encryptor in the online phase, he malleates the ciphertext ctori with the ciphertext attribute yori to a target ciphertext cty associated with the given ciphertext attribute y with the same session key key In decryption, the receiver who has the secret key skx with the key attribute x satisfying P (x, y) = can decrypt the ciphertext cty and recover the session key key 4.1 Definition of Attribute-Malleability We first introduce three polynomial time algorithms, PriMalleate, PubMalleate, Combine in LU-PIP-KEM, and their necessary properties ymall ← PriMalleate(yori , ynew , Rori ) Take as inputs the original ciphertext attribute yori ∈ En , a new ciphertext attribute ynew , and the randomness Rori used to run (key, ctori ) ← Encrypt(pp, yori ; Rori ) It outputs a malleated ciphertext attribute ymall ∈ En ctori ← PubMalleate(pp, ctnew , ymall ) Take as inputs the public parameter pp, a ciphertext ctnew associated with the new ciphertext attribute ynew , and a malleated ciphertext attribute ymall ∈ En It outputs a ciphertext ctori ∈ En ctnew ← Combine(pp, ctori , ymall ) Take as inputs the public parameter pp, a ciphertext ctori associated with the ciphertext attribute yori , and the malleated ciphertext attribute ymall It outputs a ciphertext ctnew associated with the given ciphertext attribute ynew These algorithms need to meet the following requirements Online/Offline Public-Index Predicate Encryption 597 – Private Malleability For all (key, ctori ) ← Encrypt(pp, yori ; Rori ) with a ranR domly chosen ciphertext attribute yori ← En and all ciphertext attribute ynew ∈ En , if ymall is output by ymall ← PriMalleate(yori , ynew , Rori ), and ctnew is generated as ctnew ← Combine(pp, ctori , ymall ), then we have (key, ctnew ) = Encrypt(pp, ynew ; Rori ) – Public Malleability For all (key, ctnew ) ← Encrypt(pp, ynew ; Rnew ) with a R ciphertext attribute ynew ∈ En and randomly chosen ymall ← En , if ctori ← PubMalleate(pp, ctnew , ymall ), then (key, ctori ) = Encrypt(pp, yori ; Rnew ) Also, ctnew = Combine(pp, ctori , ymall ) – Efficiency Running ymall ← PriMalleate(yori , ynew , Rori ) for all yori , ynew ∈ En is more efficient than running (key, ctnew ) ← Encrypt(pp, ynew ; Rnew ) Definition We say a LU-PIP-KEM scheme has attribute-malleability if there exist polynomial time algorithms PriMalleate, PubMalleate and Combine satisfying private malleability, public malleability and efficiency defined above 4.2 Generic Transformation We now describe our transformation Let Π = (Setup, KeyGen, Encrypt, Decrypt) be a CPA-secure LU-PIP-KEM scheme for predicate Pn over the attribute universe U = {0, 1}∗ that has attribute-malleability defined in Definition We can construct a CPA-secure OO-PIP-KEM scheme Π =(OO.Setup, OO.KeyGen, OO.OffEncrypt, OO.OnEncrypt, OO.Decrypt) for the same predicate Pn as follows OO.Setup(λ, n) The setup algorithm imply invokes (msk, pp) ← Setup(λ, n) and outputs the master secret key and the public parameter as (msk, pp) OO.KeyGen(pp, msk, x) Given a key attribute x ∈ Kn , the key generation algorithm simply calls skx ← KeyGen(pp, msk, x) and outputs the secret key skx OO.OffEncrypt(pp) The offline encryption algorithm will generate a ciphertext under a randomly chosen ciphertext attribute and treat it as an intermediate R ciphertext In detail, it randomly chooses yori ← En Then, it runs (key, ctori ) ← Encrypt(pp, yori ; Rori ) with randomly chosen randomness Rori to obtain a session key and a ciphertext associated with the original ciphertext attribute yori The intermediate ciphertext is ict = (key, yori , ctori , Rori ) OO.OnEncrypt(pp, y, ict) When knowing the target ciphertext attribute y ∈ En , the online encryption algorithm first runs ymall ← PriMalleate(yori , y, Rori ) to obtain a malleated ciphertext attribute ymall ∈ En The session key key is unchange The ciphertext associated with the ciphertext attribute y is cty = (ctori , ymall ) Note that the online encryption procedure only involves operations for running algorithm PriMalleate OO.Decrypt(pp, cty , y, skx , x) If Pn (x, y) = 0, then the key attribute x does not satisfy the predicate Pn for the ciphertext attribute y and the decryption algorithm simply outputs ⊥ Otherwise, it first parses cty as (ctori , ymall ) Then, it runs cty ← Combine(pp, ctori , ymall ) and gets a ciphertext cty associated with 598 W Liu et al the ciphertext attribute y It runs key ← Decrypt(pp, cty , y, skx , x) to recover the session key key Correctness Due to the private malleability, for the session key and the ciphertext generated by calling (key, ctori ) ← Encrypt(pp, yori ; Rori ) in OO.OffEncrypt R with the randomly chosen yori ← En and for ymall ← PriMalleate(yori , y, Rori ), we get a LU-PIP-KEM ciphertext associated with the ciphertext attribute y by running cty ← Combine(pp, ctori , ymall ) in the decryption algorithm Therefore, if a secret key associated with key attribute x ∈ Kn satisfies Pn (x, y) = 1, then the decryption algorithm can correctly recover the session key by running key ← Decrypt(pp, cty , y, skx , x) Performance Only operations for running PriMalleate are required in the online encryption procedure, whereas in the original LU-PIP-KEM, the encryption procedure involves running algorithm Encrypt With the efficiency requirement, for all ynew ∈ En , running PriMalleate is more efficient than running Encrypt Therefore, the efficiency of the online encryption procedure is improved 4.3 Security Analysis The CPA security of our OO-PIP-KEM relies on the CPA security of the underlying LU-PIP-KEM The major obstacle in the security proof is how to convert the challenge LU-PIP-KEM ciphertext into a challenge OO-PIP-KEM ciphertext in the Challenge phase We overcome this obstacle by exploiting the public malleability implied by attribute-malleability ∗ When obtaining the challenge LU-PIP-KEM session key key and ciphertext ∗ ct associated with the challenge ciphertext attribute y ∗ from the LU-PIP-KEM ∗ ∈ En and challenger, we randomly choose a malleated ciphertext attribute ymall ∗ ∗ ∗ ∗ calls ctori ← PubMalleate(pp, ct , ymall ) to obtain a ciphertext ctori We then ∗ ∗ construct the challenge OO-PIP-KEM ciphertext as ct∗ = (ctori , ymall ) ∗ ∗ ∗ – Since ctori ← Encrypt(pp, yori ), ctori is a LU-PIP-KEM ciphertext ∗ ∗ ∗ ∗ ), ct is associated with y ∗ – Since ct = Combine(pp, ctori , ymall Therefore, ct∗ is a well-formed challenge OO-PIP-KEM ciphertext for the ciphertext attribute y ∗ due to the public malleability In this way, the challenge ciphertext simulation in the Challenge phase goes through The formal proof is shown in the full version of the paper Theorem If the underlying LU-PIP-KEM for predicate Pn is CPA-secure and attribute-malleable, then the proposed OO-PIP-KEM scheme is CPA-secure for the same predicate Pn 5.1 CCA2-secure OO-PIP-KEM from LU-PIP-KEM Universally Collision Resistant Chameleon Hash Function Collision Resistant Chameleon Hash A Chameleon hash [22] has a hash key chk and a trapdoor td Anyone knowing the hash key chk can efficiently compute Online/Offline Public-Index Predicate Encryption 599 the hash value for any given input There also exists an efficient algorithm for the holder of the trapdoor td to find collisions for every given input However, it is impossible for others unaware of td to compute collisions for any given input, except with a negligible probability A Chameleon hash function [22] family CH with hash value space H consists of three polynomial time algorithms CHGen, CHash and Coll defined as follows (chk, td) ← CHGen(λ) Take the security parameter λ ∈ N as input, and outputs a Chameleon hash key/trapdoor pair (chk, td) H ← CHash(chk, m, r) Take as inputs the Chameleon hash key chk, a message m, and an auxiliary random parameter r It outputs the hash value H ∈ H for the given message m r ← Coll(td, m, r, m ) Take as inputs the Chameleon hash trapdoor td, a message m with its auxiliary random parameter r for previously calculating the hash value H, and another message m = m It outputs another auxiliary random parameter r such that CHash(chk, m, r) = CHash(chk, m , r ) = H A Chameleon hash function should satisfy the collision resistance requirement, i.e., given the Chameleon hash key chk as input, no efficient algorithm can find two pairs (m, r) = (m , r ) such that CHash(chk, m, r) = CHash(chk, m , r ) except with a negligible probability Universally Collision Resistant Chameleon Hash Our construction exploits Chameleon hash with universal collision resistance A Chameleon hash function family is universal collision resistant if even though the attacker is allowed to choose the Chameleon hash key chk, it remains hard to find a hash collision for any given input Roughly speaking, the hash value H can be only computed using the fixed Chameleon hash key chk We denote such a Chameleon hash family as UCH consisting of algorithms UCHGen, UCHash, UColl Formally, UCH is universally collision resistant if, given only a description of the Chameleon hash function family, no efficient algorithm can find two tuples (chk, m, r) = (chk , m , r ) such that UCHash(chk, m, r) = UCHash(chk , m , r ) except with a negligible probability Generic Construction of UCH We can construct universally collision resistant Chameleon hash functions based on any regular Chameleon hash and a standard cryptographic hash Hash : {0, 1}∗ → H The construction is as follows UCHGen(λ) The hash key/trapdoor pair is (chk, td) ← CHGen(λ) UCHash(chk, m, r) The hash value is H = Hash(CHash(chk, m, r) chk) UColl(td, m, r, m ) Directly output r ← Coll(td, m, r, m ) One with the trapdoor td can still find collisions for any given input since H = UCHash(chk, m, r) = Hash(CHash(chk, m, r) chk) = Hash(CHash(chk, m , r ) chk) = UCHash(chk, m , r ) 600 W Liu et al Without td, any polynomial time algorithm cannot find two tuples (chk, m, r) = (chk , m , r ) with H = UCHash(chk, m, r) = UCHash(chk , m , r ) Otherwise, UCHash(chk, m, r) = Hash(CHash(chk, m, r) chk) = UCHash(chk , m , r ) = Hash(CHash(chk , m , r ) chk ) which implies that we find a collision for either Hash or CH, contradicting to their security notion 5.2 Basic Idea The public-verifiability in LU-PIPE allows a ciphertext verification mechanism, i.e., testing whether the ciphertext is honestly generated with the assigned ciphertext attribute We can leverage such a built-in verification mechanism to construct OO-PIPE with CCA2 security Precisely, we add an on-the-fly verification attribute yv in the ciphertext We split the attribute universe U into two parts: one is the regular attribute universe U, and another is the verification attribute universe V for the verification attributes The verification attribute yv ∈ V is only used for ciphertext verification In encryption, the encryptor hashes the components of a ciphertext, and treats the result as the ciphertext attribute yv to encrypt again In the decryption procedure, the receiver computes the hash result again, and verifies whether the ciphertext is encrypted under the assigned ciphertext attribute, and under the hash ciphertext attribute yv using the ciphertext verification mechanism Similar built-in verification has been used by Boyen et al [7] However, one may encounter an obstacle when directly employing their technique The online/offline mechanism implies ciphertext forgery in the sense that a ciphertext with an ciphertext attribute can be efficiently malleated to a target ciphertext with a genuine ciphertext attribute, while any efficient ciphertext forgery must be prevented in CCA2 security A plausible solution is to follow the technique proposed by Liu et al [28] by replacing the regular hash to a Chameleon hash function With the help of hash collision algorithm Coll in the Chameleon hash function, it is possible to malleate the ciphertext with an ciphertext attribute to a target ciphertext with the genuine ciphertext attribute, while remaining the verification terms unchange However, for invoking hash collision algorithm, all encryptors must know the trapdoor of the target Chameleon hash key bounded in the public parameter, which obviously implies security problem To circumvent this obstacle, we use a “dynamic” universally collision resistant Chameleon hash to replace the regular Chameleon hash for each ciphertext In offline encryption, the encryptor generates a Chameleon hash key/trapdoor pair (chk, td), chooses a random ciphertext attribute yori , and calculates the intermediate ciphertext components for yori and the temporary hash value yv When learning the genuine ciphertext attribute in the online phase, the encryptor replaces the random ciphertext attribute with the genuine one, while leveraging UCHash with the trapdoor td to remain yv unchange The cost is an additional Chameleon hash key chk in the ciphertext In the online phase, the encryptor Online/Offline Public-Index Predicate Encryption 601 will run UColl, which is efficient in some Chameleon hash instantiations based on discrete log [22] In this way, the online encryption cost keeps low 5.3 Generic Transformation Let Π be a CPA-secure LU-PIP-KEM scheme consisting of four algorithms Setup, KeyGen, Encrypt, Decrypt for predicate Pn over the attribute universe U = {0, 1}∗ Suppose that the predicate Pn has OR-compatibility defined in Definition 2, Π has attribute-malleability defined in Definition 6, and Π has public-verificability defined in Definition We below construct a CCA2-secure OO-PIP-KEM scheme Π including the algorithms CCA.Setup, CCA.KeyGen, CCA.OffEncrypt, CCA.OnEncrypt, CCA.Decrypt for the same predicate Pn over the regular attribute universe U and the verification attribute universe V with |U| = |V|, U ∩ V = ∅ and U ∪ V = U CCA.Setup(λ, n) The setup algorithm runs (msk, pp) ← Setup(λ, n+d) Then, it chooses a secure UCH function UCH : {0, 1}∗ → Ed with an auxiliary parameter universe R The system restricts that Ed is over V The master secret key is msk The public parameter is published as (pp, UCH, R) CCA.KeyGen(pp, msk, x) Given the key attribute x ∈ Kn , the algorithm first extends x to EN (x) ∈ Kn+d using the map EN Then, it runs skEN (x) ← KeyGen(pp, msk, EN (x)) and outputs the secret key skx = skEN (x) CCA.OffEncrypt(pp) The offline encryption algorithm first randomly chooses an R original ciphertext attribute yori ← En Then, it runs (chk, td) ← UCHGen(λ) R It next picks a random r ← R, and calculates an on-the-fly verification attribute yv = UCHash (chk, yori , r ) It uses map OR to obtain the ciphertext attribute OR(yori , yv ) ∈ En+d and runs (key, ctori ) ← Encrypt(pp, OR(yori , yv ); Rori ) with randomness Rori to generate the session key and the ciphertext The intermediate ciphertext is ict = (key, yori , yv , ctori , Rori , chk, td, r ) CCA.OnEncrypt(pp, y, ict) Once the target ciphertext attribute y ∈ En is available, the online encryption algorithm extends the ciphertext attribute y ∈ En to OR(y, yv ) and obtains a malleated ciphertext attribute ymall ∈ En+d by running ymall ← PriMalleate(OR(yori , yv ), OR(y, yv ), Rori ) It next runs r ← UColl(td, yori , r , ctori ymall ) The session key is key, while the ciphertext cty associated with the ciphertext attribute y is cty = (ctori , ymall , chk, r) Note that the online encryption algorithm only needs invocations of PriMalleate and UColl CCA.Decrypt(pp, cty , y, skx , x) The decryption algorithm recovers the on-thefly verification attribute yv = UCHash (chk, ctori ymall , r) Then, it runs cty ← Combine(pp, ctori , ymall ) to rebuild the ciphertext cty with the ciphertext attribute OR(y, yv ) One can verify whether the ciphertext is legitimate by testing ? Verify (pp, cty , OR(y, yv )) = 602 W Liu et al The property of Chameleon hash ensures yv = UCHash (chk, ctori ymall , r) = UCHash (chk, yori , r ) and the on-the-fly verification attribute remains the same in the online encryption procedure If Verify outputs 0, the ciphertext is invalid and the decryption algorithm simply outputs ⊥ Otherwise, the decryption algorithm runs key ← Decrypt(pp, cty , OR(y, yv ), skx , EN (x)) to recover key Correctness If the ciphertext cty is honestly generated by the encryptor with the ciphertext attribute y, then (key, cty ) = Encrypt(pp, OR(y, yv )) for cty ← Combine(pp, ctori , ymall ), where yv can be correctly obtained by invoking yv = UCHash (chk, ctori ymall , r) Hence, we have that Verify(pp, cty , OR(y, yv )) = The decryption can be done using skx = skEN (x) for Pn+d (EN (x), OR(y, yv )) = Pn (x, y) = The session key can be correctly recovered with key = Decrypt(pp, cty , OR(y, yv ), skx , EN (x)) Performance Comparing with OO-PIP-KEM, operations for running UColl are additionally required in the online encryption of our CCA2-secure OO-PIPKEM construction By properly applying Chameleon hash functions with rather efficient algorithm Coll [22], and by our construction shown in Sect 5.1, UColl is also efficient Therefore, the online encryption algorithm remains efficient The additional communication cost is the extra ciphertext components chk, r, both of which have constant size in all existing Chameleon hash instantiations 5.4 Security Analysis Our OO-PIP-KEM is CCA2-secure if the underlying LU-PIP-KEM is CPAsecure The obstacle in the CCA2 security proof is how to respond the decryption queries for ciphertexts associated with the challenge ciphertext attributes y ∗ We overcome this obstacle by using the extended key attribute xd ∈ Kd and the extended verification attribute yv ∈ Ed In the Challenge phase, the challenge attribute for the LU-PIP-KEM challenger is extended to OR(y ∗ , yv∗ ) When the adversary issues a decryption query for a ciphertext cty associated with a ciphertext attribute OR(y ∗ , yv ), where yv is its verification ciphertext attribute corresponding to cty , we first run Verify to check the validity of the ciphertext The public-verifiability ensures that Verify outputs if and only if the ciphertext is honestly generated Then, we construct a key attribute xv ∈ Ed such that P (xv , yv ) = 1, and issues the secret key associated with ED(xv ) ∈ Kn+d to the LU-PIP-KEM challenger On one hand, the OR-compatibility ensures Pn+d (ED(xv ), OR(y ∗ , yv )) = Pd (xv , yv ) so that we can use this secret key to decrypt the ciphertext On the other hand, the universal collision resistance of UCH implies yv = yv∗ except with a negligible probability Hence, we have P (ED(xv ), OR(y ∗ , yv∗ )) = Pd (xv , yv∗ ) = 0, and the secret key query is valid to the LU-PIP-KEM challenger The decryption query is perfectly responded The universal collision resistance of UCH is crucial for the security proof Although chk ∗ in the challenge ciphertext is chosen by the encryptor, and yv∗ is generated honestly, if the Chameleon hash only hash collision resistance property, it is possible for the adversary to replace chk ∗ to others of its choice, Online/Offline Public-Index Predicate Encryption 603 while remaining yv∗ unchange In detail, if the Chameleon hash is only collision ∗ ∗ , chk ∗ , r∗ ), resistant, after obtaining the challenge ciphertext ct∗ = (ctori , ymall ∗ the adversary can replace chk with a hash key chkA of its own choice, for which it knows its trapdoor tdA in order to construct a ciphertext ct = (ctori , ymall , chkA , rA ), where (chk ∗ , r∗ ) = (chkA , rA ) but yv = yv∗ In this case, the decryption oracle would be stuck The universal collision resistance of the Chameleon hash family prevents the adversary from such attacks since the hash key chk ∗ is fixed into the hash value and can be verified by the decryption oracle The formal security proof is shown in the full version of the paper Theorem The proposed OO-PIP-KEM is CCA2-secure if the underlying CPA-secure LU-PIP-KEM has the properties of attribute-malleability, publicverifiability and OR-compatibility Instantiations Our OO-PIP-KEM transformations can apply to existing LU-PIPE schemes, including OO-IBE schemes proposed by Guo et al [17], and OO-ABE schemes proposed by Hohenberger and Waters [18] In addition, one can illustratively instantiate a new OO-PIP-KEM scheme by applying our transformation to a LU-PIP-KEM scheme In 2010, Lewko, Sahai and Waters proposed a revocation encryption (RE) scheme [23] The ciphertext is associated with an identity set of revoked users Users who are not in the revoked set can decrypt It can be shown that their RE satisfies attribute-malleability and public-verifiability Hence, one can obtain an OO-RE scheme in the KEM setting by following our generic transformation Conclusion We provided a general framework for constructing CCA2-secure OO-PIPE We proposed a generic transformation from attribute-malleable LU-PIP-KEM to OO-PIP-KEM with CPA security We further transformed CPA-secure LU-PIPKEM to CCA2-secure OO-PIP-KEM at the cost of a Chameleon hash, assuming the underlying LU-PIP-KEM has attribute-malleability and public-verifiability Acknowledgement This paper is supported by the Natural Science Foundation of China through projects 61370190, 61272501, 61402029, 61472429, 61202465 and 61532021, by the Guangxi natural science foundation through project 2013GXNSFBB053005 K Liang is supported by privacy-aware retrieval and modelling of genomic data (No 13283250), the Academy of Finland References Abdalla, M., et al.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions In: Shoup, V (ed.) CRYPTO 2005 LNCS, vol 3621, pp 205–222 Springer, Heidelberg (2005) 604 W Liu et al Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption In: S&P 2007, pp 321–334 (2007) Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles In: Cachin, C., Camenisch, J.L (eds.) EUROCRYPT 2004 LNCS, vol 3027, pp 223–238 Springer, Heidelberg (2004) Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext In: Cramer, R (ed.) EUROCRYPT 2005 LNCS, vol 3494, pp 440–456 Springer, Heidelberg (2005) Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, pp 213–229 Springer, Heidelberg (2001) Boneh, D., Sahai, A., Waters, B.: Functional encryption: definitions and challenges In: Ishai, Y (ed.) TCC 2011 LNCS, vol 6597, pp 253–273 Springer, Heidelberg (2011) Boyen, X., Mei, Q., Waters, B.: Direct chosen ciphertext security from identitybased techniques In: CCS 2005, pp 320–329 ACM (2005) Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption In: Cachin, C., Camenisch, J.L (eds.) EUROCRYPT 2004 LNCS, vol 3027, pp 207–222 Springer, Heidelberg (2004) Cheung, L., Newport, C.: Provably secure ciphertext policy abe In: CCS 2007, pp 456–465 ACM (2007) 10 Chow, S.S.M., Liu, J.K., Zhou, J.: Identity-based online/offline key encapsulation and encryption In: Cheung, B.S.N., Hui, L.C.K., Sandhu, R.S., Wong, D.S (eds.) ASIACCS 2011, pp 52–60 ACM (2011) 11 Even, S., Goldreich, O., Micali, S.: On-line/off-line digital signatures In: Brassard, G (ed.) CRYPTO 1989 LNCS, vol 435, pp 263–275 Springer, Heidelberg (1990) 12 Fiat, A., Naor, M.: Broadcast encryption In: Stinson, D.R (ed.) CRYPTO 1993 LNCS, vol 773, pp 480–491 Springer, Heidelberg (1994) 13 Fujisaki, E., Okamoto, T.: Secure integration of asymmetric and symmetric encryption schemes In: Wiener, M (ed.) CRYPTO 1999 LNCS, vol 1666, pp 537–554 Springer, Heidelberg (1999) 14 Gentry, C.: Practical identity-based encryption without random oracles In: Vaudenay, S (ed.) EUROCRYPT 2006 LNCS, vol 4004, pp 445–464 Springer, Heidelberg (2006) 15 Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for finegrained access control of encrypted data In: CCS 2006, pp 89–98 ACM (2006) 16 Green, M., Hohenberger, S.: Blind identity-based encryption and simulatable oblivious transfer In: Kurosawa, K (ed.) ASIACRYPT 2007 LNCS, vol 4833, pp 265–282 Springer, Heidelberg (2007) 17 Guo, F., Mu, Y., Chen, Z.: Identity-based online/offline encryption In: Tsudik, G (ed.) FC 2008 LNCS, vol 5143, pp 247–261 Springer, Heidelberg (2008) 18 Hohenberger, S., Waters, B.: Online/offline attribute-based encryption In: Krawczyk, H (ed.) PKC 2014 LNCS, vol 8383, pp 293–310 Springer, Heidelberg (2014) 19 Huan, J., Yang, Y., Huang, X., Yuen, T.H., Li, J., Cao, J.: Accountable mobile e-commerce scheme via identity-based plaintext-checkable encryption Inf Sci 345, 143–155 (2016) 20 Huang, X., Liu, J.K., Tang, S., Xiang, Y., Liang, K., Xu, L., Zhou, J.: Costeffective authentic and anonymous data sharing with forward security IEEE Trans Comput 64(4), 971–983 (2015) 21 Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products In: Smart, N.P (ed.) EUROCRYPT 2008 LNCS, vol 4965, pp 146–162 Springer, Heidelberg (2008) Online/Offline Public-Index Predicate Encryption 605 22 Krawczyk, H., Rabin, T.: Chameleon signatures In: NDSS 2000 The Internet Society (2000) 23 Lewko, A., Sahai, A., Waters, B.: Revocation systems with very small private keys In: S&P 2010, pp 273–285 IEEE (2010) 24 Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts In: Micciancio, D (ed.) TCC 2010 LNCS, vol 5978, pp 455–479 Springer, Heidelberg (2010) 25 Lewko, A., Waters, B.: Decentralizing attribute-based encryption In: Paterson, K.G (ed.) EUROCRYPT 2011 LNCS, vol 6632, pp 568–588 Springer, Heidelberg (2011) 26 Lewko, A., Waters, B.: New proof methods for attribute-based encryption: achieving full security through selective techniques In: Safavi-Naini, R., Canetti, R (eds.) CRYPTO 2012 LNCS, vol 7417, pp 180–198 Springer, Heidelberg (2012) 27 Liu, J.K., Zhou, J.: An efficient identity-based online/offline encryption scheme In: Abdalla, M., Pointcheval, D., Fouque, P.-A., Vergnaud, D (eds.) ACNS 2009 LNCS, vol 5536, pp 156–167 Springer, Heidelberg (2009) 28 Liu, W., Liu, J., Wu, Q., Qin, B., Zhou, Y.: Practical direct chosen ciphertext secure key-policy attribute-based encryption with public ciphertext test In: Kutylowski, M., Vaidya, J (eds.) ICAIS 2014, Part II LNCS, vol 8713, pp 91–108 Springer, Heidelberg (2014) 29 Liu, Z., Xu, L., Chen, Z., Mu, Y., Guo, F.: Hierarchical identity-based online/offline encryption In: ICYCS 2008, pp 2115–2119 IEEE (2008) 30 Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption In: Rabin, T (ed.) CRYPTO 2010 LNCS, vol 6223, pp 191–208 Springer, Heidelberg (2010) 31 Okamoto, T., Takashima, K.: Fully secure unbounded inner-product and attributebased encryption In: Wang, X., Sako, K (eds.) ASIACRYPT 2012 LNCS, vol 7658, pp 349–366 Springer, Heidelberg (2012) 32 Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attribute-based encryption In: CCS 2013, pp 463–474 ACM (2013) 33 Sahai, A., Waters, B.: Fuzzy identity-based encryption In: Cramer, R (ed.) EUROCRYPT 2005 LNCS, vol 3494, pp 457–473 Springer, Heidelberg (2005) 34 Shamir, A.: Identity-based cryptosystems and signature schemes In: Blakely, G.R., Chaum, D (eds.) CRYPTO 1984 LNCS, vol 196, pp 47–53 Springer, Heidelberg (1985) 35 Shamir, A., Tauman, Y.: Improved online/offline signature schemes In: Kilian, J (ed.) CRYPTO 2001 LNCS, vol 2139, pp 355–367 Springer, Heidelberg (2001) 36 Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions In: Halevi, S (ed.) CRYPTO 2009 LNCS, vol 5677, pp 619– 636 Springer, Heidelberg (2009) 37 Yamada, S., Attrapadung, N., Hanaoka, G., Kunihiro, N.: Generic constructions for chosen-ciphertext secure attribute based encryption In: Catalano, D., Fazio, N., Gennaro, R., Nicolosi, A (eds.) PKC 2011 LNCS, vol 6571, pp 71–89 Springer, Heidelberg (2011) 38 Yamada, S., Attrapadung, N., Santoso, B., Schuldt, J.C.N., Hanaoka, G., Kunihiro, N.: Verifiable predicate encryption and applications to CCA security and anonymous predicate authentication In: Fischlin, M., Buchmann, J., Manulis, M (eds.) PKC 2012 LNCS, vol 7293, pp 243–261 Springer, Heidelberg (2012) 39 Yeh, L., Huang, J.: Pbs: a portable billing scheme with fine-grained access control for service-oriented vehicular networks IEEE Trans Mob Comput 13(11), 2606– 2619 (2014) Author Index Aafer, Yousra I-401 Abdalla, Michel II-61 Ahamad, Mustaque I-3 Aires Urquiza, Abraão II-450 Alcaraz, Cristina II-471 Alimohammadifar, Amir I-47 Antonakakis, Manos I-3 Arapinis, Myrto II-241 Athanasopoulos, Elias I-422 Backes, Michael I-344 Balliu, Musard I-561 Banasik, Wacław II-261 Bielova, Nataliia I-501 Biskup, Joachim II-361 Boneh, Dan II-301 Bos, Herbert I-581 Buescher, Niklas II-80 Buiras, Pablo I-538 Buttyán, Levente I-199 Cao, Zhenfu I-135, II-551 Capkun, Srdjan I-217, II-382 Chan, Aldar C.-F I-91 Chari, Suresh N I-69 Chen, Jie II-551 Chevalier, Céline I-261 Chow, Sherman S.M I-363 Cornejo, Mario II-61 Cortier, Véronique II-241 Cremers, Cas II-201 Cui, Hui II-570 Debbabi, Mourad I-47 Deng, Robert H II-570 Diaz, Claudia I-27 Dong, Xiaolei I-135, II-551 Dowling, Benjamin II-140 Du, Wenliang I-383, I-401 Dziembowski, Stefan II-261 Félegyházi, Márk I-199 Fetzer, Valerie II-406 Fielder, A II-179 Fung, Carol I-477 Garcia, Flavio D II-283 Garmany, Behrad I-602 Gawlik, Robert I-602 Gelernter, Nethanel II-512 Gervais, Arthur II-382 Giechaskiel, Ilias II-201 Gong, Junqing II-551 Goodrich, Michael T II-20 Gordon, S Dov II-99 Grossklags, Jens II-161 Günther, Felix II-140 Gupta, Payas I-3 Haller, Istvan I-581 Hankin, C II-179 Hao, Feng II-223 Herath, Udyani II-140 Herzberg, Amir I-344, II-512 Heyszl, Johann II-3 Holz, Thorsten I-602 Holzer, Andreas II-80 Imani, Mohsen I-27 Jarraya, Yosr I-47 Juarez, Marc I-27 Kaaniche, Nesrine I-279 Kapitza, Rüdiger I-440 Kate, Aniket I-344 Katz, Jonathan II-99 Katzenbeisser, Stefan II-80, II-320 Kemerlis, Vasileios P I-422 Keromytis, Angelos D I-422 Khouzani, MHR II-179 Kiayias, Aggelos I-173 Kohnhäuser, Florian II-320 Kollenda, Benjamin I-602 Kornaropoulos, Evgenios M II-20 Kostiainen, Kari I-217 608 Author Index Kremer, Steve II-241 Kurmus, Anil I-440 Laguillaumie, Fabien I-261 Lai, Russell W.F I-363 Laszka, Aron II-161 Laurent, Maryline I-279, II-339 Lázár, Zsombor I-199 Lenders, Vincent II-382 Li, Ninghui I-69 Li, Yingjiu II-570 Liang, Kaitai II-588 Liu, Jianwei II-588 Liu, Joseph K I-154 Liu, Peng I-238, I-458 Liu, Qixu I-238 Liu, Weiran II-588 Lopez, Javier II-471 Lucic, Mario II-382 Madi, Taous I-47 Majumdar, Suryadipta I-47 Malacaria, P II-179 Malinowski, Daniel II-261 Malisa, Luka I-217 Malluhi, Qutaibah M I-301 McIntosh, Allen II-99 Miller, Katja II-3 Mitzenmacher, Michael II-20 Molloy, Ian M I-69 Müller-Quade, Jörn II-406 Nguyen, Anh I-477 Nguyen, Kim Thuat II-339 Nigam, Vivek II-450 Nilges, Tobias II-406 Ning, Jianting II-551 Nitulescu, Anca II-61 Och, Michael I-217 Oksuz, Ozgur I-173 Oualha, Nouha II-339 Park, Youngja I-69 Peeters, Roel II-121 Pék, Gábor I-199 Perry, Mike I-27 Piessens, Frank I-561 Pietzuch, Peter I-440 Pointcheval, David II-61 Portokalidis, Georgios I-422 Pourzandi, Makan I-47 Preuß, Marcel II-361 Pryvalov, Ivan I-344 Pulls, Tobias II-121 Qin, Baodong II-570 Qin, Bo II-588 Radu, Andreea-Ina II-283 Rashidi, Bahman I-477 Rasmussen, Kasper B II-201 Rawat, Sanjay I-581 Rezk, Tamara I-501 Ritzdorf, Hubert II-382 Rocchetto, Marco II-427 Russell, Alexander I-173 Russo, Alejandro I-538 Sabelfeld, Andrei I-561 Sabt, Mohamed II-531 Sakzad, Amin I-154 Schoepe, Daniel I-561 Schröder, Dominique I-363 Shahandashti, Siamak F II-223 Shankar, Asim II-301 Sheridan, Brendan II-39 Sherr, Micah II-39 Sigl, Georg II-3 Smeraldi, F II-179 Srinivasan, Bharat I-3 Stebila, Douglas II-140 Steinfeld, Ron I-154 Sun, Shi-Feng I-154 Talcott, Carolyn II-450 Taly, Ankur II-301 Tamassia, Roberto II-20 Tang, Qiang I-173 Teo, Joseph I-91 Tippenhauer, Nils Ole II-427 Traorè, Jacques II-531 Ullrich, Johanna II-493 van der Meyden, Ron I-520 Várnagy, Zoltán I-199 Vassena, Marco I-538 Veggalam, Spandan I-581 Author Index Vergnaud, Damien I-261 Vu, Tam I-477 Wang, Bing I-173 Wang, Ding I-111 Wang, Fabo I-458 Wang, Kai I-458 Wang, Lingyu I-47 Wang, Ping I-111 Wang, Wenjie I-458 Wang, Xiao II-99 Wang, Yongge I-301 Waye, Lucas I-538 Weber, Alina II-80 Weichbrodt, Nico I-440 Weippl, Edgar II-493 Wen, Guanxing I-238 Woizekowski, Oliver I-520 Wollgast, Patrick I-602 Wong, Duncan S I-324 Wong, Jun Wen I-91 Wright, Matthew I-27 Wu, David J II-301 Wu, Qianhong II-588 Wu, Qianru I-238 Xu, Jia I-324 Yagemann, Carter I-383 Yang, Anjia I-324 Yang, Weining I-69 Ying, Kailiang I-401 Yuen, Tsz Hon I-154 Zankl, Andreas II-3 Zhang, Tao I-363 Zhang, Xiao I-401 Zhang, Yuqing I-238, I-458 Zhao, Mingyi II-161 Zhou, Jianying I-91, I-324 Zhou, Jun I-135 609 ... Catherine Meadows (Eds.) • • Computer Security – ESORICS 2016 21st European Symposium on Research in Computer Security Heraklion, Greece, September 2 6–3 0, 2016 Proceedings, Part II 123 Editors Ioannis... Cyber Security Planning MHR Khouzani, P Malacaria, C Hankin, A Fielder, and F Smeraldi 179 XIV Contents – Part II E-voting and E-commerce On Bitcoin Security. .. Springer International Publishing Switzerland 2016 I Askoxylakis et al (Eds.): ESORICS 2016, Part II, LNCS 9879, pp 3–1 9, 2016 DOI: 10.1007/978-3-319-45741-3 A Zankl et al the spy is able to observe