Results 1  10
of
37
Revocation and Tracing Schemes for Stateless Receivers
, 2001
"... Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their ..."
Abstract

Cited by 193 (4 self)
 Add to MetaCart
Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the SubsetCover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit SubsetCover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any SubsetCover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
Collusion resistant broadcast encryption with short ciphertexts and private keys
"... We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public ke ..."
Abstract

Cited by 134 (18 self)
 Add to MetaCart
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O (√n) for any subset of receivers. We discuss several applications of these systems.
The LSD Broadcast Encryption Scheme
, 2002
"... Abstract. Broadcast Encryption schemes enable a center to broadcast encrypted programs so that only designated subsets of users can decrypt each program. The stateless variant of this problem provides each user with a fixed set of keys which is never updated. The best scheme published so far for thi ..."
Abstract

Cited by 97 (0 self)
 Add to MetaCart
Abstract. Broadcast Encryption schemes enable a center to broadcast encrypted programs so that only designated subsets of users can decrypt each program. The stateless variant of this problem provides each user with a fixed set of keys which is never updated. The best scheme published so far for this problem is the “subset difference ” (SD) technique of Naor Naor and Lotspiech, in which each one of the n users is initially given O(log 2 (n)) symmetric encryption keys. This allows the broadcaster to define at a later stage any subset of up to r users as “revoked”, and to make the program accessible only to their complement by sending O(r) short messages before the encrypted program, and asking each user to perform an O(log(n)) computation. In this paper we describe the “Layered Subset Difference ” (LSD) technique, which achieves the same goal with O(log 1+ɛ (n)) keys, O(r) messages, and O(log(n)) computation. This reduces the number of keys given to each user by almost a square root factor without affecting the other parameters. In addition, we show how to use the same LSD keys in order to address any subset defined by a nested combination of inclusion and exclusion conditions with a number of messages which is proportional to the complexity of the description rather than to the size of the subset. The LSD scheme is truly practical, and makes it possible to broadcast an unlimited number of programs to 256,000,000 possible customers by giving each new customer a smart card with one kilobyte of tamperresistant memory. It is then possible to address any subset defined by t nested inclusion and exclusion conditions by sending less than 4t short messages, and the scheme remains secure even if all the other users form an adversarial coalition. 1
Keyinsulated public key cryptosystems
 In EUROCRYPT
, 2002
"... Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulat ..."
Abstract

Cited by 78 (10 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulated security whose goal is to minimize the damage caused by secretkey exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physicallysecure — but computationallylimited — device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physicallysecure device. We focus primarily on keyinsulated publickey encryption. We construct a (t, N)keyinsulated encryption scheme based on any (standard) publickey encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosenciphertext security. 1
Combinatorial Properties of Frameproof and Traceability Codes
 IEEE Transactions on Information Theory
, 2000
"... In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability a ..."
Abstract

Cited by 61 (10 self)
 Add to MetaCart
(Show Context)
In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability and related concepts in recent years. \Strong" versions of traceability allow at least one member of a coalition that constructs a \pirate decoder" to be traced. Weaker versions of this concept ensure that no coalition can \frame" a disjoint user or group of users. All these concepts can be formulated as codes having certain combinatorial properties. In this paper, we study the relationships between the various notions, and we discuss equivalent formulations using structures such as perfect hash families. We use methods from combinatorics and coding theory to provide bounds (necessary conditions) and constructions (sucient conditions) for the objects of interest. 1 Introduction In...
Efficient Trace and Revoke Schemes
 Financial Cryptography  FC 2000
, 2000
"... Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start b ..."
Abstract

Cited by 58 (1 self)
 Add to MetaCart
Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.
Fully collusion resistant traitor tracing with short ciphertexts and private keys
 In EUROCRYPT
, 2006
"... We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitiv ..."
Abstract

Cited by 52 (10 self)
 Add to MetaCart
We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O ( √ N) size ciphertexts. Our system uses bilinear maps in groups of composite order. 1
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 41 (4 self)
 Add to MetaCart
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
 In Public Key Cryptography — PKC ’03, volume 2567 of LNCS
, 2003
"... Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a mes ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
(Show Context)
Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of nonadaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1