Results 1  10
of
55
Collusion resistant broadcast encryption with short ciphertexts and private keys
"... We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public ke ..."
Abstract

Cited by 130 (16 self)
 Add to MetaCart
We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size O (√n) for any subset of receivers. We discuss several applications of these systems.
Attributebased encryption with nonmonotonic access structures
 In ACM CCCS
, 2007
"... We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisi ..."
Abstract

Cited by 53 (4 self)
 Add to MetaCart
We construct an AttributeBased Encryption (ABE) scheme that allows a user’s private key to be expressed in terms of any access formula over attributes. Previous ABE schemes were limited to expressing only monotonic access structures. We provide a proof of security for our scheme based on the Decisional Bilinear DiffieHellman (BDH) assumption. Furthermore, the performance of our new scheme compares favorably with existing, lessexpressive schemes. Categories and Subject Descriptors: E.3 [Data Encryption]: Public key cryptosystems. General Terms: Security.
Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack
 In Public Key Cryptography — PKC ’03, volume 2567 of LNCS
, 2003
"... Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a mes ..."
Abstract

Cited by 37 (8 self)
 Add to MetaCart
Abstract. A (public key) Trace and Revoke Scheme combines the functionality of broadcast encryption withthe capability of traitor tracing. Specifically, (1) a trusted center publishes a single public key and distributes individual secret keys to the users of the system; (2) anybody can encrypt a message so that all but a specified subset of “revoked” users can decrypt the resulting ciphertext; and (3) if a (small) group of users combine their secret keys to produce a “pirate decoder”, the center can trace at least one of the “traitors ” given access to this decoder. We construct the first chosen ciphertext (CCA2) secure Trace and Revoke Scheme based on the DDH assumption. Our scheme is also the first adaptively secure scheme, allowing the adversary to corrupt players at any point during execution, while prior works (e.g., [14, 16]) only achieves a very weak form of nonadaptive security even against chosen plaintext attacks. Of independent interest, we present a slightly simpler construction that shows a “natural separation ” between the classical notion of CCA2security and the recently proposed [15, 1] relaxed notion of gCCA2security. 1
Efficient treebased revocation in groups of lowstate devices
 In Proceedings of Crypto ’04, volume 2204 of LNCS
, 2004
"... Abstract. We study the problem of broadcasting confidential information to a collection of n devices while providing the ability to revoke an arbitrary subset of those devices (and tolerating collusion among the revoked devices). In this paper, we restrict our attention to lowmemory devices, that i ..."
Abstract

Cited by 35 (1 self)
 Add to MetaCart
Abstract. We study the problem of broadcasting confidential information to a collection of n devices while providing the ability to revoke an arbitrary subset of those devices (and tolerating collusion among the revoked devices). In this paper, we restrict our attention to lowmemory devices, that is, devices that can store at most O(log n) keys. We consider solutions for both zerostate and lowstate cases, where such devices are organized in a tree structure T. We allow the group controller to encrypt broadcasts to any subtree of T,evenifthetreeisbasedonanmultiway organizational chart or a severely unbalanced multicast tree. 1
IDBased Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
 In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security
, 2004
"... A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secre ..."
Abstract

Cited by 30 (6 self)
 Add to MetaCart
A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secret keys autonomously. We present a scalable forwardsecure HIBE (fsHIBE) scheme satisfying the above properties. We also show how our fsHIBE scheme can be used to construct a forwardsecure publickey broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fsHIBE into a collusionresistant multiple hierarchical IDbased encryption scheme, which can be used for secure communications with entities having multiple roles in rolebased access control. The security of our schemes is based on the bilinear DiffieHellman assumption in the random oracle model. 1
Traitor Tracing with Constant Transmission Rate
, 2002
"... Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor T ..."
Abstract

Cited by 29 (4 self)
 Add to MetaCart
Abstract. An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users’ keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two publickey traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of “copyrighted function ” which was presented by Naccache, Shamir and Stern. We first solve the open problem of discretelogbased and publickeybased “copyrighted function.” Then, we observe the simple yet crucial relation between (publickey) copyrighted encryption and (publickey) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant
Breaking and Repairing Asymmetric PublicKey Traitor Tracing
 Proceedings of the ACM Workshop on Digital Rights Management
, 2003
"... Traitor tracing schemes are a very useful tool for preventing piracy in digital content distribution systems. A traitor tracing procedure allows the systemmanager to reveal the identities of the subscribers that were implicated in the construction of a piratedevice that illegally receives the digi ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Traitor tracing schemes are a very useful tool for preventing piracy in digital content distribution systems. A traitor tracing procedure allows the systemmanager to reveal the identities of the subscribers that were implicated in the construction of a piratedevice that illegally receives the digital content (called traitors). In an important variant called “asymmetric ” traitor tracing, the systemmanager is not necessarily trusted, thus the tracing procedure must produce undeniable proof of the implication of the traitor subscribers. This nonrepudiation property of asymmetric schemes has the potential to significantly increase the effectiveness of the tracing procedure against piracy. In this work, we break the two previous proposals for efficient asymmetric publickey traitor tracing, by showing how traitors can evade the proposed traitor tracing procedures. Then, we present a new efficient Asymmetric PublicKey Traitor Tracing scheme for which we prove its traceability in detail (in the nonblackbox model); to the best of our knowledge this is the first such scheme. Our system is capable of proving the implication of all traitors that participate in the construction of a piratekey. We note that even though we break the
Delegatable Pseudorandom Functions and Applications
"... We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delega ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
We put forth the problem of delegating the evaluation of a pseudorandom function (PRF) to an untrusted proxy. A delegatable PRF, or DPRF for short, is a new primitive that enables a proxy to evaluate a PRF on a strict subset of its domain using a trapdoor derived from the DPRF secretkey. PRF delegation is policybased: the trapdoor is constructed with respect to a certain policy that determines the subset of input values which the proxy is allowed to compute. Interesting DPRFs should achieve lowbandwidth delegation: Enabling the proxy to compute the PRF values that conform to the policy should be more efficient than simply providing the proxy with the sequence of all such values precomputed. The main challenge in constructing DPRFs is in maintaining the pseudorandomness of unknown values in the face of an attacker that adaptively controls proxy servers. A DPRF may be optionally equipped with an additional property we call policy privacy, where any two delegation predicates remain indistinguishable in the view of a DPRFquerying proxy: achieving this raises new design challenges as policy privacy and efficiency are seemingly conflicting goals. For the important class of policies described as (1dimensional) ranges, we devise two DPRF constructions and rigorously prove their security. Built upon the wellknown treebased GGM PRF family [15], our constructions are generic and feature only logarithmic delegation size in the number of values conforming to the policy predicate. At only a constantfactor efficiency reduction, we show that our second construction is also policy private. As we finally describe, their new security and efficiency properties render our delegated PRF schemes particularly useful in numerous security applications, including RFID, symmetric searchable encryption, and broadcast encryption. 1
Privacy in Encrypted Content Distribution Using Private Broadcast Encryption
 In Financial Cryptography ’06
, 2006
"... In many content distribution systems it is important to both restrict access of content to authorized users and to protect the identities of these users. We discover that current systems for encrypting content to set of users are subject to attacks on user privacy. We propose a new mechanism, pri ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
In many content distribution systems it is important to both restrict access of content to authorized users and to protect the identities of these users. We discover that current systems for encrypting content to set of users are subject to attacks on user privacy. We propose a new mechanism, private broadcast encryption, to protect the privacy of users of encrypted file systems and content delivery systems. We construct a private broadcast scheme, with a strong privacy guarantee against an active attacker, while achieving ciphertext length, encryption time, and decryption time comparable with the nonprivate schemes currently used in encrypted file systems.