Results 11  20
of
130
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
 In Public Key Cryptography — PKC ’03, volume 2567 of LNCS
, 2003
"... Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a mes ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of nonadaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1
ChosenCiphertext Security of Multiple Encryption
 In TCC’05, LNCS 3378
, 2005
"... Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this sub ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosenplaintext attacks, and has shown constructions secure in this sense based on the chosenplaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosenciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosenciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosenciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identitybased encryption scheme secure against selectiveidentity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes. 1
Efficient SelfHealing Group Key Distribution with Revocation Capability
 In Proc. of the 10th ACM Conference on Computer and Communications Security (CCS ’03
, 2003
"... This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [31]. By introducing a novel personal k ..."
Abstract

Cited by 34 (5 self)
 Add to MetaCart
This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [31]. By introducing a novel personal key distribution technique, this paper reduces (1) the communication overhead of personal key share distribution from O(t log q) to O(t log q), (2) the communication overhead of selfhealing key distribution with trevocation capability from O((mt + tm) log q) to O(mt log q), and (3) the storage overhead of the selfhealing key distribution with trevocation capability at each group member from O(m log q) to O(m log q), where t is the maximum number of colluding group members, m is the number of sessions, and q is a prime number that is large enough to accommodate a cryptographic key. All these results are achieved without sacrificing the unconditional security of key distribution. In addition, this paper presents two techniques that allow tradeoff between the broadcast size and the recoverability of lost session keys. These two methods further reduce the broadcast message size in situations where there are frequent but shortterm disruptions of communication and where there are longterm but infrequent disruptions of communication, respectively. Finally, this paper presents an API implementation of the proposed techniques.
The complexity of online memory checking
 In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science
, 2005
"... We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and t ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and the required fingerprint size is well understood. We study the problem of sublinear authentication: suppose the user would like to encode and store the file in a way that allows him to verify that it has not been corrupted, but without reading the entire file. If the user only wants to read q bits of the file, how large does the size s of the private fingerprint need to be? We define this problem formally, and show a tight lower bound on the relationship between s and q when the adversary is not computationally bounded, namely: s × q = Ω(n), where n is the file size. This is an easier case of the online memory checking problem, introduced by Blum et al. in 1991, and hence the same (tight) lower bound applies also to that problem. It was previously shown that when the adversary is computationally bounded, under the assumption that oneway functions exist, it is possible to construct much better online memory checkers. T he same is also true for sublinear authentication schemes. We show that the existence of oneway functions is also a necessary condition: even slightly breaking the s × q = Ω(n) lower bound in a computational setting implies the existence of oneway functions. 1
Efficient treebased revocation in groups of lowstate devices
 In Proceedings of Crypto ’04, volume 2204 of LNCS
, 2004
"... Abstract. We study the problem of broadcasting confidential information to a collection of n devices while providing the ability to revoke an arbitrary subset of those devices (and tolerating collusion among the revoked devices). In this paper, we restrict our attention to lowmemory devices, that i ..."
Abstract

Cited by 33 (1 self)
 Add to MetaCart
Abstract. We study the problem of broadcasting confidential information to a collection of n devices while providing the ability to revoke an arbitrary subset of those devices (and tolerating collusion among the revoked devices). In this paper, we restrict our attention to lowmemory devices, that is, devices that can store at most O(log n) keys. We consider solutions for both zerostate and lowstate cases, where such devices are organized in a tree structure T. We allow the group controller to encrypt broadcasts to any subtree of T,evenifthetreeisbasedonanmultiway organizational chart or a severely unbalanced multicast tree. 1
Deniable Ring Authentication
 In Proceedings of Crypto 2002, volume 2442 of LNCS
, 2002
"... Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Si ..."
Abstract

Cited by 30 (3 self)
 Add to MetaCart
Abstract. Digital Signatures enable authenticating messages in a way that disallows repudiation. While nonrepudiation is essential in some applications, it might be undesirable in others. Two related notions of authentication are: Deniable Authentication (see Dwork, Naor and Sahai [25]) and Ring Signatures (see Rivest, Shamir and Tauman [38]). In this paper we show how to combine these notions and achieve Deniable Ring Authentication: it is possible to convince a verifier that a member of an ad hoc subset of participants (a ring) is authenticating a message m without revealing which one (source hiding), and the verifier V cannot convince a third party that message m was indeed authenticated – there is no ‘paper trail ’ of the conversation, other than what could be produced by V alone, as in zeroknowledge. We provide an efficient protocol for deniable ring authentication based on any strong encryption scheme. That is once an entity has published a publickey of such an encryption system, it can be drafted to any such ring. There is no need for any other cryptographic primitive. The scheme can be extended to yield threshold authentication (e.g. at least k members of the ring are approving the message) as well. 1
IDBased Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
 In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security
, 2004
"... A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secre ..."
Abstract

Cited by 29 (6 self)
 Add to MetaCart
A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secret keys autonomously. We present a scalable forwardsecure HIBE (fsHIBE) scheme satisfying the above properties. We also show how our fsHIBE scheme can be used to construct a forwardsecure publickey broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fsHIBE into a collusionresistant multiple hierarchical IDbased encryption scheme, which can be used for secure communications with entities having multiple roles in rolebased access control. The security of our schemes is based on the bilinear DiffieHellman assumption in the random oracle model. 1
Traitor Tracing with Constant Transmission Rate
, 2002
"... Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor T ..."
Abstract

Cited by 28 (3 self)
 Add to MetaCart
Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two publickey traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of “copyrighted function ” which was presented by Naccache, Shamir and Stern. We first solve the open problem of discretelogbased and publickeybased “copyrighted function.” Then, we observe the simple yet crucial relation between (publickey) copyrighted encryption and (publickey) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant
pDCS: Security and Privacy Support for DataCentric Sensor Networks
 In Proc. of the the 26th IEEE INFOCOM
, 2007
"... The demand for efficient data dissemination/access techniques to find the relevant data from within a sensor network has led to the development of datacentric sensor networks (DCS), where the sensor data as contrast to sensor nodes are named based on attributes such as event type or geographic loca ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
The demand for efficient data dissemination/access techniques to find the relevant data from within a sensor network has led to the development of datacentric sensor networks (DCS), where the sensor data as contrast to sensor nodes are named based on attributes such as event type or geographic location. However, saving data inside a network also creates security problems due to the lack of tamperresistance of the sensor nodes and the unattended nature of the sensor network. For example, an attacker may simply locate and compromise the node storing the event of his interest. To address these security problems, we present pDCS, a privacyenhanced DCS network which offers different levels of data privacy based on different cryptographic keys. pDCS also includes an efficient key management scheme to facilitate the management of multiple keys in the system. In addition, we propose several query optimization techniques based on Euclidean Steiner Tree and Keyed Bloom Filter to minimize the query overhead while providing certain query privacy. Finally, detailed analysis and simulations show that the Keyed Bloom Filter scheme can significantly reduce the message overhead with the same level of query delay and maintain a very high level of query privacy. 1