Results 1  10
of
148
Attributebased encryption for finegrained access control of encrypted data
 In Proc. of ACMCCS’06
, 2006
"... As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop ..."
Abstract

Cited by 481 (22 self)
 Add to MetaCart
As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop a new cryptosystem for finegrained sharing of encrypted data that we call KeyPolicy AttributeBased Encryption (KPABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of auditlog information and broadcast encryption. Our construction supports delegation of private keys which subsumes Hierarchical IdentityBased Encryption (HIBE). E.3 [Data En
Undirected STConnectivity in LogSpace
, 2004
"... We present a deterministic, logspace algorithm that solves stconnectivity in undirected graphs. The previous bound on the space complexity of undirected stconnectivity was log 4/3 (·) obtained by Armoni, TaShma, Wigderson and Zhou [ATSWZ00]. As undirected stconnectivity is complete for the clas ..."
Abstract

Cited by 167 (3 self)
 Add to MetaCart
We present a deterministic, logspace algorithm that solves stconnectivity in undirected graphs. The previous bound on the space complexity of undirected stconnectivity was log 4/3 (·) obtained by Armoni, TaShma, Wigderson and Zhou [ATSWZ00]. As undirected stconnectivity is complete for the class of problems solvable by symmetric, nondeterministic, logspace computations (the class SL), this algorithm implies that SL = L (where L is the class of problems solvable by deterministic logspace computations). Our algorithm also implies logspace constructible universaltraversal sequences for graphs with restricted labelling and logspace constructible universalexploration sequences for general graphs.
General Secure MultiParty Computation from any Linear SecretSharing Scheme
, 2000
"... Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neith ..."
Abstract

Cited by 162 (23 self)
 Add to MetaCart
Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC. Our approach to secure MPC is generic and applies to both the informationtheoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all). The protocols are efficient. In contrast to all previous informationtheoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for nonthreshold adversaries provably have superpolynomial complexity. 1
Protecting Data Privacy in Private Information Retrieval Schemes
 JCSS
"... Private Information Retrieval (PIR) schemes allow a user to retrieve the ith bit of an nbit data string x, replicated in k 2 databases (in the informationtheoretic setting) or in k 1 databases (in the computational setting), while keeping the value of i private. The main cost measure for suc ..."
Abstract

Cited by 135 (21 self)
 Add to MetaCart
(Show Context)
Private Information Retrieval (PIR) schemes allow a user to retrieve the ith bit of an nbit data string x, replicated in k 2 databases (in the informationtheoretic setting) or in k 1 databases (in the computational setting), while keeping the value of i private. The main cost measure for such a scheme is its communication complexity.
Efficient Multiparty Computations Secure Against an Adaptive Adversary
, 1999
"... We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the securechannels model, where a broadcast channel is given and a nonzero error probability is allowed. In this model Rabin and BenOr proposed VSS and MPC protocols secure against an adversary that can corrupt a ..."
Abstract

Cited by 87 (21 self)
 Add to MetaCart
We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the securechannels model, where a broadcast channel is given and a nonzero error probability is allowed. In this model Rabin and BenOr proposed VSS and MPC protocols secure against an adversary that can corrupt any minority of the players. In this paper, we first observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q²adversaries.
ZeroKnowledge Proofs for Finite Field Arithmetic, or: Can ZeroKnowledge be for Free?
 IN PROC. CRYPTO
, 1997
"... We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 , our protocols require communication of O(n ) bits. This is the same worstcast complexity as the trivial (non zeroknowledge) interactive proof where the prover just reveals the input values. If the circuit involves n multiplications, the best previously known methods would in general require communication of \Omega\Gamma n log n) bits. Variations of the
Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors
, 2008
"... Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its cont ..."
Abstract

Cited by 52 (9 self)
 Add to MetaCart
(Show Context)
Abstract. Consider an abstract storage device Σ(G) that can hold a single element x from a fixed, publicly known finite group G. Storage is private in the sense that an adversary does not have read access to Σ(G) at all. However, Σ(G) is nonrobust in the sense that the adversary can modify its contents by adding some offset ∆ ∈ G. Due to the privacy of the storage device, the value ∆ can only depend on an adversary’s a priori knowledge of x. We introduce a new primitive called an algebraic manipulation detection (AMD) code, which encodes a source s into a value x stored on Σ(G) so that any tampering by an adversary will be detected, except with a small error probability δ. We give a nearly optimal construction of AMD codes, which can flexibly accommodate arbitrary choices for the length of the source s and security level δ. We use this construction in two applications: – We show how to efficiently convert any linear secret sharing scheme into a robust secret sharing scheme, which ensures that no unqualified subset of players can modify their shares and cause the reconstruction of some value s ′ � = s. – We show how how to build nearly optimal robust fuzzy extractors for several natural metrics. Robust fuzzy extractors enable one to reliably extract and later recover random keys from noisy and nonuniform secrets, such as biometrics, by relying only on nonrobust public storage. In the past, such constructions were known only in the random oracle model, or required the entropy rate of the secret to be greater than half. Our construction relies on a randomly chosen common reference string (CRS) available to all parties. 1
Superpolynomial lower bounds for monotone span programs
, 1996
"... In this paper we obtain the first superpolynomial lower bounds for monotone span programs computing explicit functions. The best previous lower bound was Ω(n 5/2) by Beimel, Gál, Paterson [BGP]; our proof exploits a general combinatorial lower bound criterion from that paper. Our lower bounds are ba ..."
Abstract

Cited by 49 (6 self)
 Add to MetaCart
In this paper we obtain the first superpolynomial lower bounds for monotone span programs computing explicit functions. The best previous lower bound was Ω(n 5/2) by Beimel, Gál, Paterson [BGP]; our proof exploits a general combinatorial lower bound criterion from that paper. Our lower bounds are based on an analysis of Paleytype bipartite graphs via Weil’s character sum estimates. We prove an n Ω(log n / log log n) lower bound for the size of monotone span programs for the clique problem. Our results give the first superpolynomial lower bounds for linear secret sharing schemes. We demonstrate the surprising power of monotone span programs by exhibiting a function computable in this model in linear size while requiring superpolynomial size monotone circuits and exponential size monotone formulae. We also show that the perfect matching function can be computed by polynomial size (nonmonotone) span programs over arbitrary fields.
From secrecy to soundness: efficient verification via secure computation
 In Proceedings of the 37th international colloquium conference on Automata, languages and programming
, 2010
"... Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC protocols, as well as solving ..."
Abstract

Cited by 46 (3 self)
 Add to MetaCart
Abstract. We study the problem of verifiable computation (VC) in which a computationally weak client wishes to delegate the computation of a function f on an input x to a computationally strong but untrusted server. We present new general approaches for constructing VC protocols, as well as solving the related problems of program checking and selfcorrecting. The new approaches reduce the task of verifiable computation to suitable variants of secure multiparty computation (MPC) protocols. In particular, we show how to efficiently convert the secrecy property of MPC protocols into soundness of a VC protocol via the use of a message authentication code (MAC). The new connections allow us to apply results from the area of MPC towards simplifying, unifying, and improving over previous results on VC and related problems. In particular, we obtain the following concrete applications: (1) The first VC protocols for arithmetic computations which only make a blackbox use of the underlying field or ring; (2) a noninteractive VC protocol for boolean circuits in the preprocessing model, conceptually simplifying and improving the online complexity of a recent protocol of Gennaro et al. (Cryptology ePrint Archive: Report 2009/547); (3) NC0 selfcorrectors for complete languages in the complexity class NC1 and various logspace classes, strengthening previous AC0 correctors of Goldwasser et al. (STOC 2008). 1
Access control and signatures via quorum secret sharing
 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
, 1998
"... We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separ ..."
Abstract

Cited by 45 (12 self)
 Add to MetaCart
We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separation between access servers, which are protected and trustworthy, but may be outdated, and the data servers, which may all be compromised. The main paradigm is that only the servers in a complete quorum can collectively grant (or revoke) access permission. The method we suggest ensures that, after authorization is revoked, a cheating user Alice will not be able to access the data even if many access servers still consider her authorized and even if the complete raw database is available to her. The method has a low overhead in terms of communication and computation. It can also be converted into a distributed system for issuing secure signatures. An important building block in our method is the use of secret sharing schemes that realize the access structures of quorum systems. We provide several efficient constructions of such schemes which may be of interest in their own right.