A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a key-management as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group's behalf. However, in case of this anonymity's misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an ecient instantiation thereof. The scheme is suited for large groups; the size of the group's public key and the length of signatures do not depe...

Abstract — We present a watermarking procedure to embed copyright protection into digital video. Our watermarking procedure is scene-based and video dependent. It directly exploits spatial masking, frequency masking, and temporal properties to embed an invisible and robust watermark. The watermark consists of static and dynamic temporal components that are generated from a temporal wavelet transform of the video scenes. The resulting wavelet coefficient frames are modified by a perceptually shaped pseudorandom sequence representing the author. The noise-like watermark is statistically undetectable to thwart unauthorized removal. Furthermore, the author representation resolves the deadlock problem. The multiresolution watermark may be detected on single frames without knowledge of the location of the frames in the video scene. We demonstrate the robustness of the watermarking procedure to several video degradations and distortions. Index Terms — Copyright protection, data hiding, perceptual masking, video watermarking.

Abstract — Mobility is key to personal freedom. With the increasing availability of mobile devices, many providers begin to offer location-based services. Although these services greatly enrich our mobility experiences, with them also comes the privacy concerns, as a location-based service provider now can continuously track the location of a user. This tracking may allow unauthorized access and cause serious consequences. Although a few solutions have been proposed to address the privacy concerns in various aspects, there has not been any comprehensive study of the problem; furthermore, most of the existing solutions require that a user trust a third party such as a location server. In this paper, we investigate privacy-preserving locationbased services for the three components involved in providing

We propose a formal model for data entanglement as used in storage systems like Dagster [25] and Tangler [26]. These systems split data into blocks in such a way that a single block becomes a part of several documents; these documents are said to be entangled. Dagster and Tangler use entanglement in conjunction with other techniques to deter a censor from tampering with unpopular data. In this paper, we assume that entanglement is a goal in itself. We measure the strength of a system by how thoroughly documents are entangled with one another and how attempting to remove a document a#ects the other documents in the system. We argue that while Dagster and Tangler achieve their stated goals, they do not achieve ours. In particular, we prove that deleting a typical document in Dagster a#ects, on average, only a constant number of other documents; in Tangler, it a#ects virtually no other documents. This motivates us to propose two stronger notions of entanglement, called dependency and all-or-nothing integrity. All-or-nothing integrity binds the users' data so that it is hard to delete or modify the data of any one user without damaging the data of all users. We study these notions in six submodels, di#erentiated by the choice of users' recovery algorithms and restrictions placed on the adversary. In each of these models, we not only provide mechanisms for limiting the damage done by the adversary, but also argue, under reasonable cryptographic assumptions, that no stronger mechanisms are possible.

Abstract. Data confidentiality is a major concern in database systems. Encryption is a useful tool for protecting the confidentiality of sensitive data. However, when data is encrypted, performing queries becomes more challenging. In this paper, we study efficient and provably secure methods for queries on encrypted data stored in an outsourced database that may be susceptible to compromise. Specifically, we show that, in our system, even if an intruder breaks into the database and observes some interactions between the database and its users, he only learns very little about the data stored in the database and the queries performed on the data. Our work consists of several components. First, we consider databases in which each attribute has a finite domain and give a basic solution for certain kinds of queries on such databases. Then, we present two enhanced solutions, one with a stronger security guarantee and the other with accelerated queries. In addition to providing proofs of our security guarantees, we provide empirical performance evaluations. Our experiments demonstrate that our solutions are fast on large-sized real data. 1

Distributed implementations of access control abound in distributed storage protocols. While such implementations are often accompanied by informal justifications of their correctness, our formal analysis reveals that their correctness can be tricky. In particular, we discover several subtleties in a state-of-the-art implementation based on capabilities, that can undermine correctness under a simple specification of access control. We consider both safety and security for correctness; loosely, safety requires that an implementation does not introduce unspecified behaviors, and security requires that an implementation preserves the specified behavioral equivalences. We show that a secure implementation of a static access policy already requires some care in order to prevent unspecified leaks of information about the access policy. A dynamic access policy causes further problems. For instance, if accesses can be dynamically granted then the implementation does not remain secure—it leaks information about the access policy. If accesses can be dynamically revoked then the implementation does not even remain safe. We show that a safe implementation is possible if a clock is introduced in the implementation. A secure implementation is possible if the specification is accordingly generalized. Our analysis shows how a distributed implementation can be systematically designed from a specification, guided by precise formal goals. While our results are based on formal criteria, we show how violations of each of those criteria can lead to real attacks. We distill the key ideas behind those attacks and propose corrections in terms of useful design principles. We show that other stateful computations can be distributed just as well using those principles. 1

. We show that both variants of the Dual Counter Mode of encryption (DCM) submitted for consideration as an AES mode of operation to NIST by M. Boyle and C. Salter of the NSA are insecure with respect to both secrecy and integrity in the face of chosen-plaintext attacks. We argue that DCM cannot be easily changed to satisfy its stated performance goal and be secure. Hence repairing DCM does not appear worthwhile. 1

Abstract. Cryptography based on noncommutative algebra still suffers from lack of schemes and lack of interest. In this work, we show new constructions of cryptosystems based on group invariants and suggest methods to make such cryptosystems secure in practice. Cryptographers still cannot prove security in its cryptographic sense or even reduce it to some statement about regular complexity classes. In this paper we introduce a new notion of cryptographic security, a provable break, and prove that cryptosystems based on matrix group invariants and also a variation of the Anshel-Anshel-Goldfeld key agreement protocol for modular groups are secure against provable worst-case break unless NP ⊆ RP. 1

We discuss aspects of secure quantum communication by proposing and analyzing a quantum analog of the Vernam cipher (one-time-pad). The quantum Vernam cipher uses entanglement as the key to encrypt quantum information sent through an insecure quantum channel. First, in sharp contrast with the classical Vernam cipher, the quantum key can be recycled securely. We show that key recycling is intrinsic to the quantum cipher-text, rather than using entanglement as the key. Second, the scheme detects and corrects for arbitrary transmission errors, and it does so using only local operations and classical communication (LOCC) between the sender and the receiver. The application to quantum message authentication is discussed. Quantum secret sharing schemes with similar properties are characterized. We also discuss two general issues, the relation between secret communication and secret sharing, the classification of secure communication protocols.