Results 1  10
of
80
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage
, 1998
"... Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For ..."
Abstract

Cited by 183 (12 self)
 Add to MetaCart
Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For longlived and sensitive secrets this protection may be insufficient. We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct...
Establishing Pairwise Keys for Secure Communication in Ad Hoc Networks: A Probabilistic Approach
, 2003
"... A prerequisite for secure communication between two nodes in an ad hoc network is that the nodes share a key to bootstrap their trust relationship. In this paper, we present a scalable and distributed protocol that enables two nodes to establish a pairwise shared key on the fly, without requiring th ..."
Abstract

Cited by 103 (11 self)
 Add to MetaCart
A prerequisite for secure communication between two nodes in an ad hoc network is that the nodes share a key to bootstrap their trust relationship. In this paper, we present a scalable and distributed protocol that enables two nodes to establish a pairwise shared key on the fly, without requiring the use of any online key distribution center. The design of our protocol is based on a novel combination of two techniques – probabilistic key sharing and threshold secret sharing. Our protocol is scalable since every node only needs to possess a small number of keys, independent of the network size, and it is computationally efficient because it only relies on symmetric key cryptography based operations. We show that a pairwise key established between two nodes using our protocol is secure against a collusion attack by up to a certain number of compromised nodes. We also show through a set of simulations that our protocol can be parameterized to meet the desired levels of performance, security and storage for the application under consideration. 1
Resilient Network Coding in the Presence of Byzantine Adversaries
"... Network coding substantially increases network throughput. But since it involves mixing of information inside the network, a single corrupted packet generated by a malicious node can end up contaminating all the information reaching a destination, preventing decoding. This paper introduces distribu ..."
Abstract

Cited by 102 (26 self)
 Add to MetaCart
Network coding substantially increases network throughput. But since it involves mixing of information inside the network, a single corrupted packet generated by a malicious node can end up contaminating all the information reaching a destination, preventing decoding. This paper introduces distributed polynomialtime rateoptimal network codes that work in the presence of Byzantine nodes. We present algorithms that target adversaries with different attacking capabilities. When the adversary can eavesdrop on all links and jam zO links, our first algorithm achieves a rate of C − 2zO, where C is the network capacity. In contrast, when the adversary has limited eavesdropping capabilities, we provide algorithms that achieve the higher rate of C − zO. Our algorithms attain the optimal rate given the strength of the adversary. They are informationtheoretically secure. They operate in a distributed manner, assume no knowledge of the topology, and can be designed and implemented in polynomialtime. Furthermore, only the source and destination need to be modified; nonmalicious nodes inside the network are oblivious to the presence of adversaries and implement a classical distributed network code. Finally, our algorithms work over wired and wireless networks.
Byzantine Modification Detection in Multicast Networks using Randomized Network Coding
 in IEEE Proc. Intl. Sym. Inform. Theory
, 2004
"... We show how distributed randomized network coding, a robust approach to multicasting in distributed network settings, can be extended to provide Byzantine modification detection without the use of cryptographic functions. ..."
Abstract

Cited by 82 (12 self)
 Add to MetaCart
We show how distributed randomized network coding, a robust approach to multicasting in distributed network settings, can be extended to provide Byzantine modification detection without the use of cryptographic functions.
Secure communication in minimal connectivity models
 Journal of Cryptology
, 1998
"... Abstract. Problems of secure communication and computation have been studied extensively in network models. In this work, we ask what is possible in the informationtheoretic setting when the adversary is very strong (Byzantine) and the network connectivity is very low (minimum needed for crashtole ..."
Abstract

Cited by 49 (1 self)
 Add to MetaCart
Abstract. Problems of secure communication and computation have been studied extensively in network models. In this work, we ask what is possible in the informationtheoretic setting when the adversary is very strong (Byzantine) and the network connectivity is very low (minimum needed for crashtolerance). For some natural models, our results imply a sizable gap between the connectivity required for perfect security and for probabilistic security. Our results also have implications to the commonly studied simple channel model and to general secure multiparty computation. 1
Secret sharing made short
, 1988
"... Abstract. A wellknown fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
Abstract. A wellknown fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications). We present an mthreshold scheme, where m shares recover the secret but m 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size $ plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of 5 is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable. The scheme is very simple and combines in a natural way traditiond (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function. 1
Eavesdropping games: A graphtheoretic approach to privacy in distributed systems
 JOURNAL OF THE ACM
, 1993
"... We initiate a graphtheoretic approach to study the (informationtheoretic) maintenance of privacy in distributed environments in the presence of a bounded number of mobile eavesdroppers (“bugs”). For two fundamental privacy problems secure message transmission and distributed database maintenanc ..."
Abstract

Cited by 37 (2 self)
 Add to MetaCart
We initiate a graphtheoretic approach to study the (informationtheoretic) maintenance of privacy in distributed environments in the presence of a bounded number of mobile eavesdroppers (“bugs”). For two fundamental privacy problems secure message transmission and distributed database maintenance we assume an adversary is “playing eavesdropping games, ” coordinating the movement of the bugs among the sites to learn the current memory contents. We consider various mobility settings (adversaries), motivated by the capabilities (strength) of the bugging technologies (e.g., how fast can a bug be reassigned). We combinatorially characterize and compare privacy maintenance problems, determine their feasibility (under numerous bug models), suggest protocols for the feasible cases, and analyze their computational complexity.
Perfectly secure message transmission revisited
 In: Proc. Eurocrypt ’02
, 2002
"... Abstract. Achieving secure communications in networks has been one of the most important problems in information technology. Dolev, Dwork, Waarts, and Yung have studied secure message transmission in oneway or twoway channels. They only consider the case when all channels are twoway or all channe ..."
Abstract

Cited by 37 (7 self)
 Add to MetaCart
Abstract. Achieving secure communications in networks has been one of the most important problems in information technology. Dolev, Dwork, Waarts, and Yung have studied secure message transmission in oneway or twoway channels. They only consider the case when all channels are twoway or all channels are oneway. Goldreich, Goldwasser, and Linial, Franklin and Yung, Franklin and Wright, and Wang and Desmedt have studied secure communication and secure computation in multirecipient (multicast) models. In a “multicast channel ” (such as Ethernet), one processor can send the same message—simultaneously and privately—to a fixed subset of processors. In this paper, we shall study necessary and sufficient conditions for achieving secure communications against active adversaries in mixed oneway and twoway channels. We also discuss multicast channels and neighbor network channels.
Distributed PseudoRandom Functions and KDCs
 ADVANCES IN CRYPTOLOGY: EUROCRYPT '99, VOLUME 1592 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorize ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.
The Round Complexity of Verifiable Secret Sharing and Secure Multicast
, 2001
"... The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast. VSS allows a dealer to share a secret among several players ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
The round complexity of interactive protocols is one of their most important complexity measures. In this work we study the exact round complexity of two basic secure computation tasks: Verifiable Secret Sharing (VSS) and Secure Multicast. VSS allows a dealer to share a secret among several players in a way that would later allow a unique reconstruction of the secret. It is a wellstudied primitive, which is used as a building block in virtually every general protocol for secure multiparty computation. Secure multicast is perhaps the simplest nontrivial instance of a secure computation. It allows a dealer to securely distribute an identical message to all players in a prescribed subset M . Both types of protocols are parameterized by the number of players, n, and a security threshold, t, which bounds the total number of malicious players (possibly including the dealer).