Results 1  10
of
24
Revocation and Tracing Schemes for Stateless Receivers
, 2001
"... Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their ..."
Abstract

Cited by 173 (4 self)
 Add to MetaCart
Abstract. We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the SubsetCover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class. We describe two explicit SubsetCover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1 2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any SubsetCover revocation scheme that satisfies a “bifurcation property”. This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors. The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user’s end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
Keyinsulated public key cryptosystems
 In EUROCRYPT
, 2002
"... Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulat ..."
Abstract

Cited by 75 (10 self)
 Add to MetaCart
Abstract. Cryptographic computations (decryption, signature generation, etc.) are often performed on a relatively insecure device (e.g., a mobile device or an Internetconnected host) which cannot be trusted to maintain secrecy of the private key. We propose and investigate the notion of keyinsulated security whose goal is to minimize the damage caused by secretkey exposures. In our model, the secret key(s) stored on the insecure device are refreshed at discrete time periods via interaction with a physicallysecure — but computationallylimited — device which stores a “master key”. All cryptographic computations are still done on the insecure device, and the public key remains unchanged. In a (t, N)keyinsulated scheme, an adversary who compromises the insecure device and obtains secret keys for up to t periods of his choice is unable to violate the security of the cryptosystem for any of the remaining N − t periods. Furthermore, the scheme remains secure (for all time periods) against an adversary who compromises only the physicallysecure device. We focus primarily on keyinsulated publickey encryption. We construct a (t, N)keyinsulated encryption scheme based on any (standard) publickey encryption scheme, and give a more ef£cient construction based on the DDH assumption. The latter construction is then extended to achieve chosenciphertext security. 1
Combinatorial Properties of Frameproof and Traceability Codes
 IEEE Transactions on Information Theory
, 2000
"... In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability a ..."
Abstract

Cited by 55 (10 self)
 Add to MetaCart
In order to protect copyrighted material, codes may be embedded in the content or codes may be associated with the keys used to recover the content. Codes can oer protection by providing some form of traceability for pirated data. Several researchers have studied dierent notions of traceability and related concepts in recent years. \Strong" versions of traceability allow at least one member of a coalition that constructs a \pirate decoder" to be traced. Weaker versions of this concept ensure that no coalition can \frame" a disjoint user or group of users. All these concepts can be formulated as codes having certain combinatorial properties. In this paper, we study the relationships between the various notions, and we discuss equivalent formulations using structures such as perfect hash families. We use methods from combinatorics and coding theory to provide bounds (necessary conditions) and constructions (sucient conditions) for the objects of interest. 1 Introduction In...
Efficient Trace and Revoke Schemes
 Financial Cryptography  FC 2000
, 2000
"... Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start b ..."
Abstract

Cited by 53 (1 self)
 Add to MetaCart
Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.
SelfHealing Key Distribution with Revocation
 In Proceedings of IEEE Symposium on Security and Privacy, The Claremont Resort
, 2002
"... We address the problem of establishing a group key amongst a dynamic group of users over an unreliable, or Iossy, network. We term our key distribution mechanisms selfhealing because users' are capable of recovering lost group keys on their own, without requesting additional transmissions from the ..."
Abstract

Cited by 40 (1 self)
 Add to MetaCart
We address the problem of establishing a group key amongst a dynamic group of users over an unreliable, or Iossy, network. We term our key distribution mechanisms selfhealing because users' are capable of recovering lost group keys on their own, without requesting additional transmissions from the group manager, thus cutting back on network traffic, decreasing the load on the group manager, and reducing the risk of user exposure through traffic analysis. A user must be a member both before and after the session in which a particular key is sent in order to be able to recover the key through selfhealing. Binding the ability to recover keys' to membership status enables the group manager to use short broadcasts' to establish group keys', independent of the group size. In addition, the selfhealing approach to key distribution is stateless, meaning that a group member who has been offline for some time is able to recover new session keys' immediately after coming back online.
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
 In Public Key Cryptography — PKC ’03, volume 2567 of LNCS
, 2003
"... Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a mes ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of nonadaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1
Efficient SelfHealing Group Key Distribution with Revocation Capability
 In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS ’03
, 2003
"... This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [31]. By introducing a novel personal k ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [31]. By introducing a novel personal key distribution technique, this paper reduces (1) the communication overhead of personal key share distribution from O(t log q) to O(t log q), (2) the communication overhead of selfhealing key distribution with trevocation capability from O((mt + tm) log q) to O(mt log q), and (3) the storage overhead of the selfhealing key distribution with trevocation capability at each group member from O(m log q) to O(m log q), where t is the maximum number of colluding group members, m is the number of sessions, and q is a prime number that is large enough to accommodate a cryptographic key. All these results are achieved without sacrificing the unconditional security of key distribution. In addition, this paper presents two techniques that allow tradeoff between the broadcast size and the recoverability of lost session keys. These two methods further reduce the broadcast message size in situations where there are frequent but shortterm disruptions of communication and where there are longterm but infrequent disruptions of communication, respectively. Finally, this paper presents an API implementation of the proposed techniques.
Signature schemes with bounded leakage resilience
 In ASIACRYPT
, 2009
"... A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
A leakageresilient cryptosystem remains secure even if arbitrary, but bounded, information about the secret key (or possibly other internal state information) is leaked to an adversary. Denote the length of the secret key by n. We show a signature scheme tolerating (optimal) leakage of up to n − nǫ bits of information about the secret key, and a more efficient onetime signature scheme that tolerates leakage of ( 1 4 −ǫ) ·n bits of information about the signer’s entire state. The latter construction extends to give a leakageresilient ttime signature scheme. All these constructions are in the standard model under general assumptions. 1
An O(k 3 log n)Approximation Algorithm for VertexConnectivity Survivable Network Design
, 2008
"... In the Survivable Network Design problem (SNDP), we are given an undirected graph G(V, E) with costs on edges, along with a connectivity requirement r(u, v) for each pair u, v of vertices. The goal is to find a minimumcost subset E ∗ of edges, that satisfies the given set of pairwise connectivity r ..."
Abstract

Cited by 24 (0 self)
 Add to MetaCart
In the Survivable Network Design problem (SNDP), we are given an undirected graph G(V, E) with costs on edges, along with a connectivity requirement r(u, v) for each pair u, v of vertices. The goal is to find a minimumcost subset E ∗ of edges, that satisfies the given set of pairwise connectivity requirements. In the edgeconnectivity version we need to ensure that there are r(u, v) edgedisjoint paths for every pair u, v of vertices, while in the vertexconnectivity version the paths are required to be vertexdisjoint. The edgeconnectivity version of SNDP is known to have a 2approximation. However, no nontrivial approximation algorithm has been known so far for the vertex version of SNDP, except for special cases of the problem. We present an extremely simple algorithm to achieve an O(k 3 log n)approximation for this problem, where k denotes the maximum connectivity requirement, and n denotes the number of vertices. We also give a simple proof of the recently discovered O(k 2 log n)approximation result for the singlesource version of vertexconnectivity SNDP. We note that in both cases, our analysis in fact yields slightly better guarantees in that the log n term in the approximation guarantee can be replaced with a log τ term where τ denotes the number of distinct vertices that participate in one or more pairs with a positive connectivity requirement.