Results 1  10
of
38
The Decision DiffieHellman Problem
, 1998
"... The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this are ..."
Abstract

Cited by 242 (6 self)
 Add to MetaCart
The Decision DiffieHellman assumption (ddh) is a gold mine. It enables one to construct efficient cryptographic systems with strong security properties. In this paper we survey the recent applications of DDH as well as known results regarding its security. We describe some open problems in this area. 1 Introduction An important goal of cryptography is to pin down the exact complexity assumptions used by cryptographic protocols. Consider the DiffieHellman key exchange protocol [12]: Alice and Bob fix a finite cyclic group G and a generator g. They respectively pick random a; b 2 [1; jGj] and exchange g a ; g b . The secret key is g ab . To totally break the protocol a passive eavesdropper, Eve, must compute the DiffieHellman function defined as: dh g (g a ; g b ) = g ab . We say that the group G satisfies the Computational DiffieHellman assumption (cdh) if no efficient algorithm can compute the function dh g (x; y) in G. Precise definitions are given in the next sectio...
CLIQUES: A New Approach to Group Key Agreement
, 1998
"... This paper considers the problem of key agreement in a group setting with highlydynamic group member population. A protocol suite, called CLIQUES, is developed by extending the wellknown DiffieHellman key agreement method to support dynamic group operations. Constituent protocol are secure, eff ..."
Abstract

Cited by 154 (16 self)
 Add to MetaCart
(Show Context)
This paper considers the problem of key agreement in a group setting with highlydynamic group member population. A protocol suite, called CLIQUES, is developed by extending the wellknown DiffieHellman key agreement method to support dynamic group operations. Constituent protocol are secure, efficient and applicable to any protocol layer, communication paradigm and network topology.
Provably Authenticated Group DiffieHellman Key Exchange
, 2001
"... Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for thi ..."
Abstract

Cited by 134 (17 self)
 Add to MetaCart
Group DiffieHellman protocols for Authenticated Key Exchange (AKE) are designed to provide a pool of players with a shared secret key which may later be used, for example, to achieve multicast message integrity. Over the years, several schemes have been offered. However, no formal treatment for this cryptographic problem has ever been suggested. In this paper, we present a security model for this problem and use it to precisely define AKE (with "implicit" authentication) as the fundamental goal, and the entityauthentication goal as well. We then define in this model the execution of an authenticated group DiffieHellman scheme and prove its security.
Communication Complexity of Group Key Distribution
, 1998
"... Communication complexity has always been an important issue when designing group key distribution systems. This paper systematically studies what can be achieved for the most common measures of protocol complexity. Lower bounds for the total number of messages, the total number of exchanges, and the ..."
Abstract

Cited by 128 (0 self)
 Add to MetaCart
Communication complexity has always been an important issue when designing group key distribution systems. This paper systematically studies what can be achieved for the most common measures of protocol complexity. Lower bounds for the total number of messages, the total number of exchanges, and the number of necessary rounds are established, whereby models that allow broadcasting have to be distinguished from those that do not. For every measure of protocol complexity, we furthermore show that the corresponding bound is realistic for DiffieHellmanbased protocols by referring to or introducing protocols that match the bound or exceed it by only one.
Applications of Multilinear Forms to Cryptography
 Contemporary Mathematics
, 2002
"... We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such ..."
Abstract

Cited by 100 (12 self)
 Add to MetaCart
(Show Context)
We study the problem of finding efficiently computable nondegenerate multilinear maps from G 1 to G 2 , where G 1 and G 2 are groups of the same prime order, and where computing discrete logarithms in G 1 is hard. We present several applications to cryptography, explore directions for building such maps, and give some reasons to believe that finding examples with n > 2 may be difficult.
Authenticated Group Key Agreement and Friends
, 1998
"... Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This ..."
Abstract

Cited by 96 (6 self)
 Add to MetaCart
Many modern computing environments involve dynamic peer groups. Distributed simulation, multiuser games, conferencing and replicated servers are just a few examples. Given the openness of today's networks, communication among group members must be secure and, at the same time, efficient. This paper studies the problem of authenticated key agreement in dynamic peer groups with the emphasis on efficient and provably secure key authentication, key confirmation and integrity. It begins by considering 2party authenticated key agreement and extends the results to Group DiffieHellman key agreement. In the process, some new security properties (unique to groups) are discussed. 1 Introduction This paper is concerned with security services in the context of dynamic peer groups (DPGs). Such groups are common in many network protocol layers and in many areas of modern computing and the solution to their security needs, in particular key management, are still open research challenges [19]. Exa...
Efficient SelectiveID Secure Identity Based Encryption without Random Oracles
 Proceedings of Eurocrypt 2004, volume 3027 of LNCS
, 2004
"... We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to ..."
Abstract

Cited by 69 (9 self)
 Add to MetaCart
We construct two efficient Identity Based Encryption (IBE) systems that are selective identity secure without the random oracle model. Selective identity secure IBE is a slightly weaker security model than the standard security model for IBE. In this model the adversary must commit ahead of time to the identity that it intends to attack, whereas in the standard model the adversary is allowed to choose this identity adaptively. Our first secure IBE system extends to give a selective identity Hierarchical IBE secure without random oracles.
OneRound Protocols for TwoParty Authenticated Key Exchange
 ACNS
, 2004
"... Abstract. Cryptographic protocol design in a twoparty setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for twoparty key exchange have been designed assuming that parties alternate ..."
Abstract

Cited by 41 (2 self)
 Add to MetaCart
Abstract. Cryptographic protocol design in a twoparty setting has often ignored the possibility of simultaneous message transmission by each of the two parties (i.e., using a duplex channel). In particular, most protocols for twoparty key exchange have been designed assuming that parties alternate sending their messages (i.e., assuming a bidirectional halfduplex channel). However, by taking advantage of the communication characteristics of the network it may be possible to design protocols with improved latency. This is the focus of the present work. We present a number of provablysecure protocols for twoparty authenticated key exchange (AKE) which require only a single round. Our first protocol provides key independence only, and is analyzed in the random oracle model. This scheme matches the most efficient AKE protocols among those found in the literature. Our second scheme additionally provides forward secrecy, and is also analyzed in the random oracle model. Our final protocol provides the same strong security guarantees, but is proven secure in the standard model. This scheme is only slightly less efficient (from a computational perspective) than the previous ones. These last two schemes are the first provablysecure oneround protocols for authenticated 2party key exchange which provide forward secrecy.
Roundoptimal contributory conference key agreement
, 2003
"... Abstract. Becker and Wille derived a lower bound of only one round for multiparty contributory key agreement protocols. Up until nowno protocol meeting this bound has been proven secure. We present a protocol meeting the bound and prove it is secure in Bellare and Rogaway’s model. The protocol is m ..."
Abstract

Cited by 38 (5 self)
 Add to MetaCart
Abstract. Becker and Wille derived a lower bound of only one round for multiparty contributory key agreement protocols. Up until nowno protocol meeting this bound has been proven secure. We present a protocol meeting the bound and prove it is secure in Bellare and Rogaway’s model. The protocol is much more efficient than other conference key agreement protocols with provable security, but lacks forward secrecy. 1
An Integrated Solution for Secure Group Communication in WideArea Networks
 In Proc. of 6th IEEE Symposium on Computers and Communications
, 2001
"... Many distributed applications require a secure reliable group communication system to provide coordination among the application components. This paper describes a secure group layer (SGL) which bundles a reliable group communication system, a group authorization and access control mechanism, and a ..."
Abstract

Cited by 30 (9 self)
 Add to MetaCart
Many distributed applications require a secure reliable group communication system to provide coordination among the application components. This paper describes a secure group layer (SGL) which bundles a reliable group communication system, a group authorization and access control mechanism, and a group key agreement protocol to provide a comprehensive and practical secure group communication platform. SGL also encapsulates the standard message security services (i.e, confidentiality, authenticity and integrity). A number of challenging issues encountered in the design of SGL are brought to light and experimental results obtained with a prototype implementation are discussed.