We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).

Abstract. We present a non-interactive chosen ciphertext secure threshold encryption system. The proof of security is set in the standard model and does not use random oracles. Our construction uses the recent identity based encryption system of Boneh and Boyen and the chosen ciphertext secure construction of Canetti, Halevi, and Katz.

Content-based publish/subscribe systems offer an interaction scheme that is appropriate for a variety of large scale dynamic applications. However, widespread use of these systems is hindered by a lack of suitable security services. In this paper we present scalable solutions for confidentiality, integrity, and authentication for these systems. We also provide verifiable usagebased accounting services, which are required for e-commerce and e-business applications that use publish/subscribe systems. Our solutions are applicable in a setting where publishers and subscribers may not trust the publish/subscribe infrastructure. Keywords: Publish/subscribe systems, Electronic Commerce, Security

We describe efficient techniques for three (or more) parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N . In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication.

This paper introduces new approaches to Timed-release Cryptography including authenticated timed-release encryption and timed-release digital signature scheme with their variations. All of our proposed solutions are built from single mathematical primitive, Bilinear map. This simple construction allows our solution to be flexible and e#cient. The proposed schemes are easily modifiable and extendable in order to satisfy di#erent application requirements.

Almost all threshold signature schemes based on secret sharing such as polynomial sharing have a common weakness that they cannot resist the conspiracy attack. The reason is that the manager possesses the secret share of each member, and the secret can be retrieved by an adversary if the adversary can corrupt t members (where t is the threshold).

research contained in the reference list, which reflects our knowledge of related work prior to the date of submission to NDSS. The authors did not consult any other research that may or may not have been made publicly available through such channels as Internet and did not discuss the paper with anyone working on the same topic. Any resemblance to other works which were not cited is purely coincidental and refelects the phenomenon of independent discovery. Since August 24, the authors were made aware of additional related work. In partcular, the following was discovered: “Scalable, Server-Passive, User-Anonymous Timed Release Public Key Encryption from Bilinear Pairing ” by Ian F. Blake and Aldar C-F. Chan, available at

Prefix-preserving encryption (PPE) is an important type of encryption scheme, having a wide range of applications, such as IP addresses anonymization, prefix-matching search, and rang search. There are two issues in PPE schemes, security proof and single key requirement. Existing security proofs for PPE only reduce the security of a real PPE scheme to that of the ideal PPE object by showing their computational indistinguishability [1, 14]. Such security proof is incomplete since the security of the ideal encryption object is unknown. Also, existing prefix-preserving encryption schemes only consider a single encryption key, which is infeasible for a practical system with multiple users (Implying that all users should have the single encryption key in order to encrypt or decrypt confidential data). In this paper we develop a novel mechanism to analyze the security of the ideal PPE object. We follow the modern cryptographic approach and create a new security notion IND-PCPA. Then, we show that such weakened security notion is necessary and the ideal PPE object is secure under IND-PCPA. We also design a new, security-enhanced PPE protocol to support its use in multi-user systems, where no single entity in the system knows the PPE key. The protocol secret shares and distributes the PPE key to a group of key agents and let them “distributedly encrypt ” critical data. We develop a novel distributed PPE algorithm and the corresponding request and response protocols. Experimental results show that the protocol is feasible in practical systems. Key Words: Prefix-preserving encryption, security notion, IND-CPA, IND-PCPA, cryptographical security proof, multi-user systems, distributed prefix-preserving encryption algorithm. 1