Offene Themen für Arbeiten
Masterarbeiten
 Proxy Reencryption for SFCABE

Attribute based encryption (ABE) schemes allow to implement efficient and fine grained cryptographic access control to data. In ABE, data is encrypted according to a given access structure. Users possess keys according to their rights or attributes, respectively. A user is able to decrypt a ciphertext and hence to access the corresponding data if and only if his attributes satsify the access structure of the ciphertext.
The decryption of ABE ciphertexts is relatively complex. In order to be able to decrypt ABE ciphertexts on resource constrained devices, Green et. al proposed a proxy reencryption scheme for ABE [1]. Here, a proxy transforms an ABE ciphertext into a conventional ElGamal ciphertext with the help of an ABE transformation key. Then, the ElGamal ciphertext can be efficiently decrypted in the standard way. Even with the transformation key, the proxy obtains no information about the encrypted data.
The thesis deals with a subset of the following aspects of the proxyreencryption scheme of [1]:
 In [1], only an outline of the security proof is given. The task is to complete this outline into a rigorous proof of security.
 The reencryption scheme of [1] is based on the ABE encryption scheme of [2]. The task is to generalize the approach of [1] such that it can be applied to other ABE schemes like, e.g., [3].
 In [1], the FujisakiOkamoto transform is used to achieve CCA security in the random oracle model. The construction of [1] is proof of concept and uses a onetime pad to encrypt the message. For practical application it is preferred to use the scheme in combination with a symmetric block mode in a hybrid encryption scheme. The task is to adapt the construction of [1] accordingly.
 The construction of [1] assures confidentiality of the message also against malicious adversaries. Authenticity is not guaranteed with malicious proxies but [1] outlines an extension to provide also authenticity. The task is to formally specify the extended scheme and proof its security.
 The research group Codes&Cryptography develops a Java framework for pairing based cryptography. The task is to extend this framework and include the scheme of [1], preferably with the extension of Task2, Task3, and Task4.
 It is planned to use the approach of [1] in the collaborative research project “Securing the financial cloud (SFC)”. The task is to apply the scheme of [1] to an SFC usecase.
The focus of the thesis will be selected according to the background of the student.
The thesis will be supervised by Paderborn University, research group Codes & Cryptography and the Wincor Nixdorf International GmbH.
Language: English or German.
Literature
 [1] Matthew Green, Susan Hohenberger, and Brent Waters. "Outsourcing the Decryption of ABE Ciphertexts." USENIX Security Symposium. Vol. 2011. No. 3. 2011.
 [2]: Brent Waters. "Ciphertextpolicy attributebased encryption: An expressive, efficient, and provably secure realization." Public Key Cryptography–PKC 2011. Springer Berlin Heidelberg, 2011. pp. 5370.
 [3]: Yannis Rouselakis, and Brent Waters. "Practical constructions and new proof methods for large universe attributebased encryption." Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013.
 Improving features of anonymous communication

Many cryptographic systems, such as group signatures, have builtin privacy. For group signatures, this means that no polynomialtime adversary can, given a signature, find out who signed it (he only learns that some member of the group signed the message). In practice, the great measure of anonymity is diminished when used over the internet: if A sends an anonymous signature to B, then the signature itself does not reveal A's identity, but the IP address within the TCP packet does.
Using an anonymous communication system, a set of parties can communicate anonymously, i.e. the receiver of a message does not learn who sent it and the sender of a message only knows the receiver under some pseudonym. Today this is usually done using TOR. Recent research culminated in a new system that is based on trusted execution environments (such as Intel's SGX) and offers a much higher degree of security than TOR and other such schemes.
We suggest several possible extensions to this system:
 Revocation of pseudonyms (using, for example, Bloom filters)
 Efficiency improvements using network coding
 Allow nodes to dynamically join or leave the system
 ...
The thesis should deal with (some of) these extensions. Optionally, these ideas can be implemented into our existing prototype implementation (using the SGX SDK, language is C++).
There are initial ideas how to realize them, but there is lots of space for new ideas. The original construction uses ideas from both cryptography and overlay networks and is a nice application of both.
Bachelorarbeiten
 Communicationoptimal accumulators based on bilinear maps

A cryptographic accumulator is a constantsize representation of a (large) set S. For every element in S, there is a short witness such that anyone given the accumulator and the witness can verify that indeed, the element is included in the original set S. For every element not in S, finding such witnesses is computationally intractable (under the usual cryptographic assumptions).
A typical application for accumulators is revocation (e.g., of access rights). When someone gets certain access rights, their ID is included in some public accumulator. To get access, one simply computes a witness for his ID in the accumulator and supplies that to the verifier. If at some point, access needs to be revoked, the responsible party can simply remove the ID from the accumulator, preventing the party from gaining access in the future.
Usually, whenever the accumulator changes to a new set S', every owner of an accumulated ID in S' needs to update his witness so that it fits the accumulator for S' instead of S. A desirable trait of accumulators is being able to update witnesses incrementally instead of having to recompute witnesses for new sets from scratch. Baldimtsi et al. recently published an accumulator with the unique property that if S' is a superset of S (i.e. only additions occured), no witness updates are necessary at all. They base their construction on the strong RSA assumption.
However, in many contexts RSAbased accumulators are inconvenient. Many constructions that would want to use accumulators for revocation are based on primeorder groups with bilinear maps, which makes them incompatible with the published accumulator.
The rough idea behind this thesis topic is to first understand the construction of Baldimtsi et al. and to provide detailed proofs for their claims (they only sketch proof ideas in their paper). Then, you should transfer their ideas to the primeorder group setting, making them applicable for a large range of modern cryptographic constructions. For this, the accumulator by Nguyen serves as a base construction for an accumulator that is extendable with methods similar to Baldimtsi's.
 Sigma protocols for anonymous credentials

In a recent project group, we implemented an anonymous credential system. In such a system, users are given credentials that they can use to authenticate anonymously (i.e. the verifier learns only that some user with access rights is talking to it, but does not learn which one).
Such credentials are associated with attributes (such as age, country, etc.) over which statements (such as "age > 18", "country = 'Germany'") are proven in a privacypreserving manner. Such a proof is enabled by Sigma protocols (usually based on Schnorr's protocol, which you may know from our lectures). The project group implemented several Sigma protocols (one, for example, that does an "age > 18" proof) and ways to compose them.
The goal of this thesis is to research and implement new Sigma protocols that enable different statements, or are more efficient than the ones we currently use. One example for such an improvement is batch verification of Sigma protocols. During the work on the thesis, you (with our help) will identify more possible improvements. If everything goes well, your work will become part of our opensource anonymous credential system and provide performance improvements and/or additional features.