Results 1  10
of
43
Hierarchical identity based encryption with constant size ciphertext
, 2005
"... ..."
(Show Context)
Collusion resistant broadcast encryption with short ciphertexts and private keys
"... We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public ke ..."
Abstract

Cited by 163 (19 self)
 Add to MetaCart
(Show Context)
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O (√n) for any subset of receivers. We discuss several applications of these systems.
Fully collusion resistant traitor tracing with short ciphertexts and private keys
 In EUROCRYPT
, 2006
"... We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitiv ..."
Abstract

Cited by 60 (11 self)
 Add to MetaCart
We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O ( √ N) size ciphertexts. Our system uses bilinear maps in groups of composite order. 1
IDBased Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
 In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security
, 2004
"... A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secre ..."
Abstract

Cited by 38 (8 self)
 Add to MetaCart
A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secret keys autonomously. We present a scalable forwardsecure HIBE (fsHIBE) scheme satisfying the above properties. We also show how our fsHIBE scheme can be used to construct a forwardsecure publickey broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fsHIBE into a collusionresistant multiple hierarchical IDbased encryption scheme, which can be used for secure communications with entities having multiple roles in rolebased access control. The security of our schemes is based on the bilinear DiffieHellman assumption in the random oracle model. 1
Fully collusion secure dynamic broadcast encryption with constantsize ciphertexts or decryption keys
 In Pairing
, 2007
"... Abstract. This paper puts forward new efficient constructions for publickey broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusionsecure for arbitrarily large collusions of users and security is tight in the standard model; new use ..."
Abstract

Cited by 32 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper puts forward new efficient constructions for publickey broadcast encryption that simultaneously enjoy the following properties: receivers are stateless; encryption is collusionsecure for arbitrarily large collusions of users and security is tight in the standard model; new users can join dynamically i.e. without modification of user decryption keys nor ciphertext size and little or no alteration of the encryption key. We also show how to permanently revoke any subgroup of users. Most importantly, our constructions achieve the optimal bound of O(1)size either for ciphertexts or decryption keys, where the hidden constant relates to a couple of elements of a pairingfriendly group. Our broadcastKEM trapdoor technique, which has independent interest, also provides a dynamic broadcast encryption system improving all previous efficiency measures (for both execution time and sizes) in the privatekey setting. 1
Adaptive Security in Broadcast Encryption Systems
"... We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption with short ciphertexts was limited to considering only static security. First, we present a new definition of security that we call semistatic s ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption with short ciphertexts was limited to considering only static security. First, we present a new definition of security that we call semistatic security and show a generic “twokey ” transformation from semistatically secure systems to adaptively secure systems that have comparablesize ciphertexts. Using bilinear maps, we then construct broadcast encryption systems that are semistatically secure in the standard model and have constantsize ciphertexts. Our semistatic constructions work when the number of indices or identifiers in the system is polynomial in the security parameter. For identitybased broadcast encryption, where the number of potential indices or identifiers may be exponential, we present the first adaptively secure system with sublinear ciphertexts. We prove security in the standard model. 1
Secure KeyUpdating for Lazy Revocation
 Research Report RZ 3627, IBM Research
, 2005
"... We consider the problem of efficient key management and user revocation in cryptographic file systems that allow shared access to files. A performanceefficient solution to user revocation in such systems is lazy revocation, a method that delays the reencryption of a file until the next write to ..."
Abstract

Cited by 27 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of efficient key management and user revocation in cryptographic file systems that allow shared access to files. A performanceefficient solution to user revocation in such systems is lazy revocation, a method that delays the reencryption of a file until the next write to that file. We formalize the notion of keyupdating schemes for lazy revocation, an abstraction to manage cryptographic keys in file systems with lazy revocation, and give a security definition for such schemes. We give two composition methods that combine two secure keyupdating schemes into a new secure scheme that permits a larger number of user revocations. We prove the security of two slightly modified existing constructions and propose a novel binary tree construction that is also provable secure in our model.
Computational bounds on hierarchical data processing with applications to information security
 In Proc. Int. Colloquium on Automata, Languages and Programming (ICALP), volume 3580 of LNCS
, 2005
"... Motivated by the study of algorithmic problems in the domain of information security, in this paper, we study the complexity of a new class of computations over a collection of values associated with a set of n elements. We introduce hierarchical data processing (HDP) problems which involve the comp ..."
Abstract

Cited by 26 (15 self)
 Add to MetaCart
(Show Context)
Motivated by the study of algorithmic problems in the domain of information security, in this paper, we study the complexity of a new class of computations over a collection of values associated with a set of n elements. We introduce hierarchical data processing (HDP) problems which involve the computation of a collection of output values from an input set of n elements, where the entire computation is fully described by a directed acyclic graph (DAG). That is, individual computations are performed and intermediate values are processed according to the hierarchy induced by the DAG. We present an Ω(log n) lower bound on various computational cost measures for HDP problems. Essential in our study is an analogy that we draw between the complexities of any HDP problem of size n and searching by comparison in an order set of n elements, which shows an interesting connection between the two problems. In view of the logarithmic lower bounds, we also develop a new randomized DAG scheme for HDP problems that provides close to optimal performance and achieves cost measures with constant factors of the (logarithmic) leading asymptotic term that are close to optimal. Our lower bounds are general, apply to all HDP problems and, along with our new DAG construction, they provide an interesting –as well as useful in the area of algorithm analysis – theoretical framework. We apply our results to two information security problems, data authentication through cryptographic hashing and multicast key distribution using keygraphs and get a unified analysis and treatment for these problems. We show that both problems involve HDP and prove logarithmic lower bounds on their computational and communication costs. In particular, using our new DAG scheme, we present a new efficient authenticated dictionary with improved authentication overhead over previously known schemes. Moreover, through the relation between HDP and searching by comparison, we present a new skiplist version where the expected number of comparisons in a search is 1.25log 2 n + O(1). 1
Optimal communication complexity of generic multicast key distribution
 Advances in cryptology  EUROCRYPT 2004, proceedings of the internarional conference on the theory and application of cryptographic techniques, volume 3027 of Lecture Notes in Computer Science
, 2004
"... Abstract. We prove a tight lower bound for generic protocols for secure multicast key distribution where the messages sent by the group manager for rekeying the group are obtained by arbitrarily nested application of a symmetrickey encryption scheme, with random or pseudorandom keys. Our lower boun ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We prove a tight lower bound for generic protocols for secure multicast key distribution where the messages sent by the group manager for rekeying the group are obtained by arbitrarily nested application of a symmetrickey encryption scheme, with random or pseudorandom keys. Our lower bound shows that the amortized cost of updating the group key for a secure multicast protocol (measured as the number of messages transmitted per membership change) is log 2(n) + o(1). This lower bound matches (up to a small additive constant) the upper bound
Dynamic Threshold PublicKey Encryption
"... Abstract. This paper deals with threshold publickey encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; t ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
(Show Context)
Abstract. This paper deals with threshold publickey encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; the sender can dynamically choose the authorized set of recipients, for each ciphertext; and the sender can dynamically set the threshold t for decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new noninteractive assumption, that fits into the general DiffieHellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a. threshold broadcast encryption, since this is the first threshold publickey encryption, with dynamic authorized set of recipients and dynamic threshold that provides constantsize ciphertexts. 1