Results 1  10
of
29
IdentityBased Encryption from the Weil Pairing
, 2001
"... We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic ..."
Abstract

Cited by 1123 (24 self)
 Add to MetaCart
We propose a fully functional identitybased encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational DiffieHellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.
Secure MultiParty Computation Problems and Their Applications: A Review And Open Problems
 In New Security Paradigms Workshop
, 2001
"... The growth of the Internet has triggered tremendous opportunities for cooperative computation, where people are jointly conducting computation tasks based on the private inputs they each supplies. These computations could occur between mutually untrusted parties, or even between competitors. For exa ..."
Abstract

Cited by 67 (1 self)
 Add to MetaCart
The growth of the Internet has triggered tremendous opportunities for cooperative computation, where people are jointly conducting computation tasks based on the private inputs they each supplies. These computations could occur between mutually untrusted parties, or even between competitors. For example, customers might send to a remote database queries that contain private information; two competing financial organizations might jointly invest in a project that must satisfy both organizations' private and valuable constraints, and so on. Today, to conduct such computations, one entity must usually know the inputs from all the participants; however if nobody can be trusted enough to know all the inputs, privacy will become a primary concern. This problem is referred to as Secure Multiparty Computation Problem (SMC) in the literature. Research in the SMC area has been focusing on only a limited set of specific SMC problems, while privacy concerned cooperative computations call for SMC studies in a variety of computation domains. Before we can study the problems, we need to identify and define the specific SMC problems for those computation domains. We have developed a frame to facilitate this problemdiscovery task. Based on our framework, we have identified and defined a number of new SMC problems for a spectrum of computation domains. Those problems include privacypreserving database query, privacypreserving scientific computations, privacypreserving intrusion detection, privacypreserving statistical analysis, privacypreserving geometric computations, and privacypreserving data mining. The goal of this paper is not only to present our results, but also to serve as a guideline so other people can identify useful SMC problems in their own computation domains.
Group Principals and the Formalization of Anonymity
 In World Congress on Formal Methods
, 1999
"... . We introduce the concept of a group principal and present a number of different classes of group principals, including thresholdgroup principals. These appear to naturally useful concepts for looking at security. We provide an associated epistemic language and logic and use it to reason about ..."
Abstract

Cited by 66 (5 self)
 Add to MetaCart
. We introduce the concept of a group principal and present a number of different classes of group principals, including thresholdgroup principals. These appear to naturally useful concepts for looking at security. We provide an associated epistemic language and logic and use it to reason about anonymity protocols and anonymity services, where protection properties are formulated from the intruder's knowledge of group principals. Using our language, we give an epistemic characterization of anonymity properties. We also present a specification of a simple anonymizing system using our theory. 1 Introduction Though principals are typically viewed as atomic, there is no reason we cannot consider the knowledge and actions taken by a group. Hence, the basic notion of a group principal. This notion appears to be a useful concept for reasoning about various properties of electronic commerce and security protocols. One such principal is a thresholdgroupprincipal. Such a principal a...
Proactive security: Longterm protection against breakins
 CryptoBytes
, 1997
"... Dalit Naor y Proactive security provides a method for maintaining the overall security of a system, even when individual components are repeatedly broken into and controlled by an attacker. In particular it provides for automated recovery of the security of individual components, avoiding the use of ..."
Abstract

Cited by 57 (9 self)
 Add to MetaCart
Dalit Naor y Proactive security provides a method for maintaining the overall security of a system, even when individual components are repeatedly broken into and controlled by an attacker. In particular it provides for automated recovery of the security of individual components, avoiding the use of expensive and inconvenient manual processes (unless perhaps when an ongoing attack is detected). The technique calls for the distribution of trust among several components (servers), together with periodic refreshments of the sensitive data held by the servers. This way, the proactive approach guarantees uninterrupted security as long as not too many servers are broken into at the same time. We describe the proactive approach and review some algorithms, implementations, and applications. We elaborate on two of the most important results: proactive signatures and proactive secure communication. Proactive signatures provide a solution for longlived secret keys, such as the key of a certi cation authority. Proactive secure communication ensures secrecy and authenticity ofcommunication, with automated refresh of the secret keys. 1
Maintaining Authenticated Communication in the Presence of Breakins
 Journal of Cryptology
, 1998
"... We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and pe ..."
Abstract

Cited by 40 (6 self)
 Add to MetaCart
We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and perhaps modified. Yet, we want parties whose security is thus compromised to regain their ability to communicate in an authenticated way aided by other parties. In this work we present a mathematical model for this highly adversarial setting, exhibiting salient properties and parameters, and then describe a practicallyappealing protocol for the task of maintaining authenticated communication in this model. A key element in our solution is devising proactive distributed signature (PDS) schemes in our model. Although PDS schemes are known in the literature, they are all designed for a model where authenticated communication and broadcast primitives are available. We therefore show how t...
Protocols For Secure Remote Database Access With Approximate Matching
, 2000
"... Suppose that Bob has a database D and that Alice wants to perform a search query q on D (e.g., “is q in D?”). Since Alice is concerned about her privacy, she does not want Bob to know the query or the response to the query. How could this be done? There are elegant cryptographic techniques for solvi ..."
Abstract

Cited by 40 (10 self)
 Add to MetaCart
Suppose that Bob has a database D and that Alice wants to perform a search query q on D (e.g., “is q in D?”). Since Alice is concerned about her privacy, she does not want Bob to know the query or the response to the query. How could this be done? There are elegant cryptographic techniques for solving this problem under various constraints (such as “Bob should know neither nor the answer to the query ” and “Alice should learn nothing about D other than the answer to the query”), while optimizing various performance criteria (e.g., amount of communication). We consider the version of this problem where the query is of the type “is approximately in �? ” for a number of different notions of “approximate”, some of which arise in image processing and template matching, while others are of the stringedit type that arise in biological sequence comparisons. New techniques are needed in this framework of approximate searching, because each notion of “approximate equality” introduces its own set of difficulties; using encryption is more problematic in this framework because the items that are approximately equal cease to be so after encryption or cryptographic hashing. Practical protocols for solving such problems make possible new forms of ecommerce between proprietary database owners and customers who seek to query the database, with privacy.
Privacypreserving sharing and correlation of security alerts
 In USENIX Security Symposium
, 2004
"... Shmatikov z SRI International ..."
Distributed PseudoRandom Functions and KDCs
 ADVANCES IN CRYPTOLOGY: EUROCRYPT '99, VOLUME 1592 OF LECTURE NOTES IN COMPUTER SCIENCE
, 1999
"... This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorize ..."
Abstract

Cited by 29 (0 self)
 Add to MetaCart
This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.
Computing inverses over a shared secret modulus
, 2000
"... Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold variants for two recent signature schemes proposed by GennaroHaleviRabin and CramerShoup. We present new and efficient protocols to solve this problem, improving over previous solutions by BonehFranklin and Frankel et al. Our basic protocol (secure against honest but curious players) requires only two rounds of communication and a single GCD computation. The robust protocol (secure against malicious players) adds only a couple of rounds and a few modular exponentiations to the computation. 1