We propose a fully functional identity-based encryption scheme (IBE). The scheme has chosen ciphertext security in the random oracle model assuming an elliptic curve variant of the computational Diffie-Hellman problem. Our system is based on bilinear maps between groups. The Weil pairing on elliptic curves is an example of such a map. We give precise definitions for secure identity based encryption schemes and give several applications for such systems.

. We introduce the concept of a group principal and present a number of different classes of group principals, including thresholdgroup -principals. These appear to naturally useful concepts for looking at security. We provide an associated epistemic language and logic and use it to reason about anonymity protocols and anonymity services, where protection properties are formulated from the intruder's knowledge of group principals. Using our language, we give an epistemic characterization of anonymity properties. We also present a specification of a simple anonymizing system using our theory. 1 Introduction Though principals are typically viewed as atomic, there is no reason we cannot consider the knowledge and actions taken by a group. Hence, the basic notion of a group principal. This notion appears to be a useful concept for reasoning about various properties of electronic commerce and security protocols. One such principal is a threshold-group-principal. Such a principal a...

Dalit Naor y Proactive security provides a method for maintaining the overall security of a system, even when individual components are repeatedly broken into and controlled by an attacker. In particular it provides for automated recovery of the security of individual components, avoiding the use of expensive and inconvenient manual processes (unless perhaps when an ongoing attack is detected). The technique calls for the distribution of trust among several components (servers), together with periodic refreshments of the sensitive data held by the servers. This way, the proactive approach guarantees uninterrupted security as long as not too many servers are broken into at the same time. We describe the proactive approach and review some algorithms, implementations, and applications. We elaborate on two of the most important results: proactive signatures and proactive secure communication. Proactive signatures provide a solution for long-lived secret keys, such as the key of a certi cation authority. Proactive secure communication ensures secrecy and authenticity ofcommunication, with automated refresh of the secret keys. 1

The growth of the Internet has triggered tremendous opportunities for cooperative computation, where people are jointly conducting computation tasks based on the private inputs they each supplies. These computations could occur between mutually untrusted parties, or even between competitors. For example, customers might send to a remote database queries that contain private information; two competing financial organizations might jointly invest in a project that must satisfy both organizations' private and valuable constraints, and so on. Today, to conduct such computations, one entity must usually know the inputs from all the participants; however if nobody can be trusted enough to know all the inputs, privacy will become a primary concern. This problem is referred to as Secure Multi-party Computation Problem (SMC) in the literature. Research in the SMC area has been focusing on only a limited set of specific SMC problems, while privacy concerned cooperative computations call for SMC studies in a variety of computation domains. Before we can study the problems, we need to identify and define the specific SMC problems for those computation domains. We have developed a frame to facilitate this problem-discovery task. Based on our framework, we have identified and defined a number of new SMC problems for a spectrum of computation domains. Those problems include privacy-preserving database query, privacy-preserving scientific computations, privacy-preserving intrusion detection, privacy-preserving statistical analysis, privacy-preserving geometric computations, and privacy-preserving data mining. The goal of this paper is not only to present our results, but also to serve as a guideline so other people can identify useful SMC problems in their own computation domains.

We study the problem of maintaining authenticated communication over untrusted communication channels, in a scenario where the communicating parties may be occasionally and repeatedly broken into for transient periods of time. Once a party is broken into, its cryptographic keys are exposed and perhaps modified. Yet, we want parties whose security is thus compromised to regain their ability to communicate in an authenticated way aided by other parties. In this work we present a mathematical model for this highly adversarial setting, exhibiting salient properties and parameters, and then describe a practically-appealing protocol for the task of maintaining authenticated communication in this model. A key element in our solution is devising proactive distributed signature (PDS) schemes in our model. Although PDS schemes are known in the literature, they are all designed for a model where authenticated communication and broadcast primitives are available. We therefore show how t...

Shmatikov z SRI International

Suppose that Bob has a database D and that Alice wants to perform a search query q on D (e.g., “is q in D?”). Since Alice is concerned about her privacy, she does not want Bob to know the query or the response to the query. How could this be done? There are elegant cryptographic techniques for solving this problem under various constraints (such as “Bob should know neither nor the answer to the query ” and “Alice should learn nothing about D other than the answer to the query”), while optimizing various performance criteria (e.g., amount of communication). We consider the version of this problem where the query is of the type “is approximately in �? ” for a number of different notions of “approximate”, some of which arise in image processing and template matching, while others are of the string-edit type that arise in biological sequence comparisons. New techniques are needed in this framework of approximate searching, because each notion of “approximate equality” introduces its own set of difficulties; using encryption is more problematic in this framework because the items that are approximately equal cease to be so after encryption or cryptographic hashing. Practical protocols for solving such problems make possible new forms of e-commerce between proprietary database owners and customers who seek to query the database, with privacy.

This work describes schemes for distributing between n servers the evaluation of a function f which is an approximation to a random function, such that only authorized subsets of servers are able to compute the function. A user who wants to compute f(x) should send x to the members of an authorized subset and receive information which enables him to compute f(x). We require that such a scheme is consistent, i.e. that given an input x all authorized subsets compute the same value f(x). The solutions we present enable the operation of many servers, preventing bottlenecks or single points of failure. There are also no single entities which can compromise the security of the entire network. The solutions can be used to distribute the operation of a Key Distribution Center (KDC). They are far better than the known partitioning to domains or replication solutions to this problem, and are especially suited to handle users of multicast groups.

Abstract. We discuss the following problem: Given an integer φ shared secretly among n players and a prime number e, how can the players efficiently compute a sharing of e −1 mod φ. The most interesting case is when φ is the Euler function of a known RSA modulus N, φ = φ(N). The problem has several applications, among which the construction of threshold variants for two recent signature schemes proposed by Gennaro-Halevi-Rabin and Cramer-Shoup. We present new and efficient protocols to solve this problem, improving over previous solutions by Boneh-Franklin and Frankel et al. Our basic protocol (secure against honest but curious players) requires only two rounds of communication and a single GCD computation. The robust protocol (secure against malicious players) adds only a couple of rounds and a few modular exponentiations to the computation. 1

Existing security mechamsms |bcus on prevention of penetrations, detection of a penetration and (manual) recovery tools Indeed attackers focus their penetration efforts on breaking into critical modules, and on avoiding detection of the attack. As a result, security tools and procedures may cause the attackers to lose control over a specific module (computer, account), since the attacker would rather lose control than risk detection of the attack. While controlling the module, attacker may learn critical secret information or modify the module that make it much easier for the attacker to regain control over that module later Recent results in cryptography give some hope of improving this situation; they show that many fundamental security tasks can be achieved w~th proacttve security Proact~ve security does not assume that there is any module completely secure agamst penetration Instead, we assume that at any given time period (day, week,.), a sufficient