Results 11  20
of
249
Identitybased Encryption with Efficient Revocation
, 2008
"... Identitybased encryption (IBE) is an exciting alternative to publickey encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI). Any setting, PKI or identitybased, must provide a means to revoke users from the system. Efficient revocation is a wellstudied problem in the trad ..."
Abstract

Cited by 75 (3 self)
 Add to MetaCart
(Show Context)
Identitybased encryption (IBE) is an exciting alternative to publickey encryption, as IBE eliminates the need for a Public Key Infrastructure (PKI). Any setting, PKI or identitybased, must provide a means to revoke users from the system. Efficient revocation is a wellstudied problem in the traditional PKI setting. However in the setting of IBE, there has been little work on studying the revocation mechanisms. The most practical solution requires the senders to also use time periods when encrypting, and all the receivers (regardless of whether their keys have been compromised or not) to update their private keys regularly by contacting the trusted authority. We note that this solution does not scale well – as the number of users increases, the work on key updates becomes a bottleneck. We propose an IBE scheme that significantly improves keyupdate efficiency on the side of the trusted party (from linear to logarithmic in the number of users), while staying efficient for the users. Our scheme builds on the ideas of the Fuzzy IBE primitive and binary tree data structure, and is provably secure.
Constrained Pseudorandom Functions and Their Applications
"... We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master ke ..."
Abstract

Cited by 69 (11 self)
 Add to MetaCart
(Show Context)
We put forward a new notion of pseudorandom functions (PRFs) we call constrained PRFs. In a standard PRF there is a master key k that enables one to evaluate the function at all points in the domain of the function. In a constrained PRF it is possible to derive constrained keys ks from the master key k. A constrained key ks enables the evaluation of the PRF at a certain subset S of the domain and nowhere else. We present a formal framework for this concept and show that constrained PRFs can be used to construct powerful primitives such as identitybased key exchange and an optimal private broadcast encryption system. We then construct constrained PRFs for several natural set systems needed for these applications. We conclude with several open problems relating to this new concept.
Fully collusion resistant traitor tracing with short ciphertexts and private keys
 In EUROCRYPT
, 2006
"... We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitiv ..."
Abstract

Cited by 66 (12 self)
 Add to MetaCart
We construct a fully collusion resistant tracing traitors system with sublinear size ciphertexts and constant size private keys. More precisely, let N be the total number of users. Our system generates ciphertexts of size O ( √ N) and private keys of size O(1). We first introduce a simpler primitive we call private linear broadcast encryption (PLBE) and show that any PLBE gives a tracing traitors system with the same parameters. We then show how to build a PLBE system with O ( √ N) size ciphertexts. Our system uses bilinear maps in groups of composite order. 1
Efficient Trace and Revoke Schemes
 Financial Cryptography  FC 2000
, 2000
"... Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start b ..."
Abstract

Cited by 65 (1 self)
 Add to MetaCart
Our goal is to design encryption schemes for mass distribution of data in which it is possible to (1) deter users from leaking their personal keys, (2) trace which users leaked keys to construct an illegal decryption device, and (3) revoke these keys as to render the device dysfunctional. We start by designing an efficient revocation scheme, based on secret sharing. It can remove up to t parties and is secure against coalitions of up to t users. The performance of this scheme is more efficient than that of previous schemes with the same properties. We then show how to enhance the revocation scheme with traitor tracing and self enforcement properties. More precisely, how to construct schemes such that (1) Each user's personal key contains some sensitive information of that user (e.g., the user's credit card number), in order to make users would be reluctant to disclose their keys. (2) An illegal decryption device discloses the identity of users that contributed keys to construct the device. And, (3) it is possible to revoke the keys of corrupt users. For the last point it is important to be able to do so without publicly disclosing the sensitive information.
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delega ..."
Abstract

Cited by 55 (0 self)
 Add to MetaCart
(Show Context)
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delegation is policybased: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve lowbandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRFquerying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the wellknown treebased GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constantfactor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
The complexity of online memory checking
 In Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science
, 2005
"... We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and t ..."
Abstract

Cited by 54 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of storing a large file on a remote and unreliable server. To verify that the file has not been corrupted, a user could store a small private (randomized) “fingerprint” on his own computer. This is the setting for the wellstudied authentication problem in cryptography, and the required fingerprint size is well understood. We study the problem of sublinear authentication: suppose the user would like to encode and store the file in a way that allows him to verify that it has not been corrupted, but without reading the entire file. If the user only wants to read q bits of the file, how large does the size s of the private fingerprint need to be? We define this problem formally, and show a tight lower bound on the relationship between s and q when the adversary is not computationally bounded, namely: s × q = Ω(n), where n is the file size. This is an easier case of the online memory checking problem, introduced by Blum et al. in 1991, and hence the same (tight) lower bound applies also to that problem. It was previously shown that when the adversary is computationally bounded, under the assumption that oneway functions exist, it is possible to construct much better online memory checkers. T he same is also true for sublinear authentication schemes. We show that the existence of oneway functions is also a necessary condition: even slightly breaking the s × q = Ω(n) lower bound in a computational setting implies the existence of oneway functions. 1
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 53 (6 self)
 Add to MetaCart
(Show Context)
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
Efficient and selfhealing group key distribution with revocation capability
, 2003
"... This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [27]. By introducing a novel personal key ..."
Abstract

Cited by 48 (4 self)
 Add to MetaCart
(Show Context)
This paper presents group key distribution techniques for large and dynamic groups over unreliable channels. The techniques proposed here are based on the selfhealing key distribution methods (with revocation capability) recently developed by Staddon et al. [27]. By introducing a novel personal key distribution technique, this paper reduces (1) the communication overhead of personal key share distribution from O(t2 log q) to O(t log q), (2) the communication overhead of selfhealing key distribution with trevocation capability from O((mt2 + tm) log q) to O(mt log q), and (3) the storage overhead of the selfhealing key distribution with trevocation capability at each group member from O(m2 log q) to O(m log q), where t is the maximum number of colluding group members, m is the number of sessions, and q is a prime number that is large enough to accommodate a cryptographic key. All these results are achieved without sacrificing the unconditional security of key distribution. In addition, this paper presents two techniques that allow tradeoff between the broadcast size and the recoverability of lost session keys. These two methods further reduce the broadcast message size in situations where there are frequent but shortterm disruptions of communication and where there are longterm but infrequent disruptions of communication, respectively.
ChosenCiphertext Security of Multiple Encryption
 In TCC’05, LNCS 3378
, 2005
"... Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this sub ..."
Abstract

Cited by 47 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Encryption of data using multiple, independent encryption schemes (“multiple encryption”) has been suggested in a variety of contexts, and can be used, for example, to protect against partial key exposure or cryptanalysis, or to enforce threshold access to data. Most prior work on this subject has focused on the security of multiple encryption against chosenplaintext attacks, and has shown constructions secure in this sense based on the chosenplaintext security of the component schemes. Subsequent work has sometimes assumed that these solutions are also secure against chosenciphertext attacks when component schemes with stronger security properties are used. Unfortunately, this intuition is false for all existing multiple encryption schemes. Here, in addition to formalizing the problem of chosenciphertext security for multiple encryption, we give simple, efficient, and generic constructions of multiple encryption schemes secure against chosenciphertext attacks (based on any component schemes secure against such attacks) in the standard model. We also give a more efficient construction from any (hierarchical) identitybased encryption scheme secure against selectiveidentity chosen plaintext attacks. Finally, we discuss a wide range of applications for our proposed schemes. 1
pdcs: Security and privacy support for datacentric sensor networks
 In INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE
, 2007
"... ..."
(Show Context)