## Self-Healing Key Distribution with Revocation (2002)

### Cached

### Download Links

- [www.cs.ucdavis.edu]
- [www.csl.sri.com]
- [www.csl.sri.com]
- CiteULike
- DBLP

### Other Repositories/Bibliography

Venue: | In Proceedings of IEEE Symposium on Security and Privacy, The Claremont Resort |

Citations: | 39 - 1 self |

### BibTeX

@INPROCEEDINGS{Miner02self-healingkey,

author = {Sara Miner and Michael Malkin and Matt Franklin and U. C. Davis and Drew Dean and Jessica Staddon and Jessica Staddon and Dirk Balfanz and Dirk Balfanz},

title = {Self-Healing Key Distribution with Revocation},

booktitle = {In Proceedings of IEEE Symposium on Security and Privacy, The Claremont Resort},

year = {2002},

pages = {241--257}

}

### Years of Citing Articles

### OpenURL

### Abstract

We address the problem of establishing a group key amongst a dynamic group of users over an unreliable, or Iossy, network. We term our key distribution mechanisms self-healing because users' are capable of recovering lost group keys on their own, without requesting additional transmissions from the group manager, thus cutting back on network traffic, decreasing the load on the group manager, and reducing the risk of user exposure through traffic analysis. A user must be a member both before and after the session in which a particular key is sent in order to be able to recover the key through self-healing. Binding the ability to recover keys' to membership status enables the group manager to use short broadcasts' to establish group keys', independent of the group size. In addition, the selfhealing approach to key distribution is stateless, meaning that a group member who has been off-line for some time is able to recover new session keys' immediately after coming back on-line.

### Citations

8556 | Elements of Information Theory - Cover, Thomas - 1991 |

464 | Entity authentication and key distribution
- Bellare, Rogaway
- 1993
(Show Context)
Citation Context ... interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in =-=[3, 4, 35, 6]-=-. 2. Definitions and Notation In a key distribution scheme, a group manager seeks to establish a new unique key with each user over a broadcast channel (See Appendix C for a formal definition). In a s... |

248 | Broadcast encryption
- Fiat, Naor
- 1994
(Show Context)
Citation Context ...manager first, as appending the necessary keying information in a secure way requires knowledge of the users’ personal keys. Key distribution is at the core of many multicast and broadcast encryptio=-=n [5, 17]-=- schemes. Our constructions rest on a new technique for distributing distinct keys that is an extension of techniques for distributing common keys to subsets of users due to Naor and Pinkas [29]. In a... |

209 | Provably secure session key distribution – the three party case
- Bellare, Rogaway
- 1995
(Show Context)
Citation Context ... interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in =-=[3, 4, 35, 6]-=-. 2. Definitions and Notation In a key distribution scheme, a group manager seeks to establish a new unique key with each user over a broadcast channel (See Appendix C for a formal definition). In a s... |

196 | The decision Diffie-Hellman problem
- Boneh
- 1998
(Show Context)
Citation Context ... theorem following Construction 5 shows that the construction is secure provided the Decision Diffie-Hellman (DDH) assumption is hard. We informally state the assumption here, referring the reader to =-=[1]-=- for a more precise and detailed discussion and to [29, 10] for examples of proofs of reduction to the DDH problem. DDH is defined for any cyclic group G and generator g. The DDH assumption is that it... |

196 | Multicast Security: A Taxonomy and Some Efficient Constructions
- Canetti, Garay, et al.
- 1999
(Show Context)
Citation Context ...[29]. In addition, our approach to the multicast problem is similar to the one taken by Kronos [33], in that we also use periodic rekeying. For other multicast and broadcast encryption techniques see =-=[11, 17, 20, 21, 22, 28, 32, 37]-=-. Graph-based multicast constructions are given in [39, 40, 26], and a method for reducing the number of update messages needed by a previously off-line member in such schemes is given in [30]. Lower ... |

85 | An efficient public key traitor tracing scheme
- Boneh, Franklin
- 1999
(Show Context)
Citation Context ...ruction is secure provided the Decision Diffie-Hellman (DDH) assumption is hard. We informally state the assumption here, referring the reader to [1] for a more precise and detailed discussion and to =-=[29, 10]-=- for examples of proofs of reduction to the DDH problem. DDH is defined for any cyclic group G and generator g. The DDH assumption is that it is difficult to distinguish between the distributions of (... |

67 | Efficient communication-storage tradeoffs for multicast encryp-tion
- Canetti, Malkin, et al.
- 1999
(Show Context)
Citation Context ...rom the group periodically), the key distribution broadcast targets only current group members. The problem of distributing keys over a reliable channel has received much attention (see, for example, =-=[12, 20, 33, 39]).-=- In this paper, we study a pragmatic variant of this problem that has received much less attention–namely, how to distribute session keys in a manner that is resistant to packet loss. In an unreliab... |

62 |
Perfectly Secure Key Distribution for Dynamic Conferences
- Blundo, Santis, et al.
- 1993
(Show Context)
Citation Context ...the same model. A Diffie-Hellman based solution for authenticated key distribution is given in [43]. The two party key distribution problem is studied in the computational setting in [14, 24, 42]. In =-=[36, 9, 2, 8]-=-, interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in... |

43 | radeo¤s between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution
- Blundo, Stinson
- 1996
(Show Context)
Citation Context ...the same model. A Diffie-Hellman based solution for authenticated key distribution is given in [43]. The two party key distribution problem is studied in the computational setting in [14, 24, 42]. In =-=[36, 9, 2, 8]-=-, interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in... |

36 | Coding constructions for blacklisting problems without computational assumptions
- Kumar, Rajagopalan, et al.
- 1999
(Show Context)
Citation Context ...[29]. In addition, our approach to the multicast problem is similar to the one taken by Kronos [33], in that we also use periodic rekeying. For other multicast and broadcast encryption techniques see =-=[11, 17, 20, 21, 22, 28, 32, 37]-=-. Graph-based multicast constructions are given in [39, 40, 26], and a method for reducing the number of update messages needed by a previously off-line member in such schemes is given in [30]. Lower ... |

34 |
Non-public key distribution
- Blom
- 1982
(Show Context)
Citation Context ...in which key distribution is needed. We briefly mention some of them for completeness. Initially, key distribution was mostly studied with the goal of establishing a shared secret between two parties =-=[7]-=-. A generalization of the problem studied in [7], that of establishing a shared key amongst a group of any size, is studied in [23, 19] in roughly the same model. A Diffie-Hellman based solution for a... |

33 | A.: Entity authentication and authenticated key transport protocols employing asymmetric techniques
- Blake-Wilson, Menezes
- 1997
(Show Context)
Citation Context ... interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in =-=[3, 4, 35, 6]-=-. 2. Definitions and Notation In a key distribution scheme, a group manager seeks to establish a new unique key with each user over a broadcast channel (See Appendix C for a formal definition). In a s... |

12 | On key distribution via true broadcasting
- Just, Kranakis, et al.
- 1994
(Show Context)
Citation Context ...rom the group periodically), the key distribution broadcast targets only current group members. The problem of distributing keys over a reliable channel has received much attention (see, for example, =-=[12, 20, 33, 39]).-=- In this paper, we study a pragmatic variant of this problem that has received much less attention–namely, how to distribute session keys in a manner that is resistant to packet loss. In an unreliab... |

10 |
Interaction in key distribution schemes
- Beimel, Chor
- 1994
(Show Context)
Citation Context ...the same model. A Diffie-Hellman based solution for authenticated key distribution is given in [43]. The two party key distribution problem is studied in the computational setting in [14, 24, 42]. In =-=[36, 9, 2, 8]-=-, interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversaries is studied in... |

7 |
How to broadcast a secret
- Berkovit
- 1991
(Show Context)
Citation Context ...manager first, as appending the necessary keying information in a secure way requires knowledge of the users’ personal keys. Key distribution is at the core of many multicast and broadcast encryptio=-=n [5, 17]-=- schemes. Our constructions rest on a new technique for distributing distinct keys that is an extension of techniques for distributing common keys to subsets of users due to Naor and Pinkas [29]. In a... |

7 |
Moni Naor. Digital signets: Self-enforcing protection of digital information (preliminary version
- Dwork, Lotspiech
- 1996
(Show Context)
Citation Context ...that it is important to prepare for all types of collusion attacks when designing key distribution schemes. If the scheme is such that sensitive information is embedded in users’ personal keys (e.g.=-=, [15]) a -=-coalition of users may be unwilling to share their personal keys and consequently can only attack session keys. Such a coalition could consist of α revoked users who collude with t − α new group m... |

3 |
Key Management for Secure Multicast with Dynamic Controllers
- Kurnio, Safavi-Naini, et al.
- 2000
(Show Context)
Citation Context ...[29]. In addition, our approach to the multicast problem is similar to the one taken by Kronos [33], in that we also use periodic rekeying. For other multicast and broadcast encryption techniques see =-=[11, 17, 20, 21, 22, 28, 32, 37]-=-. Graph-based multicast constructions are given in [39, 40, 26], and a method for reducing the number of update messages needed by a previously off-line member in such schemes is given in [30]. Lower ... |

2 |
A Practical Scheme for Non-Interactive Secret Sharing
- Feldman
- 1987
(Show Context)
Citation Context ...ast selfhealing (the core operation is simple polynomial interpolation) over a fixed set of m sessions and is resistant to collusion. We discuss how to use modular exponentiation-based secret sharing =-=[16]-=- to extend the lifetime of these constructions by allowing users to evolve their personal keys from a base set to an appropriate set of keys for the current set of sessions. In all of these constructi... |

2 |
A Modular Approach to key Distribution
- Fumy, Munzert
- 1990
(Show Context)
Citation Context ...ribution problem is studied in the computational setting in [14, 24, 42]. In [36, 9, 2, 8], interactive key distribution is studied. The formal analysis of key distribution protocols is considered in =-=[18, 38]-=-. Provably secure two party key distribution with active adversaries is studied in [3, 4, 35, 6]. 2. Definitions and Notation In a key distribution scheme, a group manager seeks to establish a new uni... |

1 |
A Key Distribution System Based on any One-Way Function
- Davida, Desmedt, et al.
(Show Context)
Citation Context ..., 19] in roughly the same model. A Diffie-Hellman based solution for authenticated key distribution is given in [43]. The two party key distribution problem is studied in the computational setting in =-=[14, 24, 42]-=-. In [36, 9, 2, 8], interactive key distribution is studied. The formal analysis of key distribution protocols is considered in [18, 38]. Provably secure two party key distribution with active adversa... |

1 |
An Efficient Hierarchichal Identity-Based Key-Sharing Method Resistant Against Collusion-Attacks
- Hanaoka, Nishioka, et al.
(Show Context)
Citation Context ...ied with the goal of establishing a shared secret between two parties [7]. A generalization of the problem studied in [7], that of establishing a shared key amongst a group of any size, is studied in =-=[23, 19]-=- in roughly the same model. A Diffie-Hellman based solution for authenticated key distribution is given in [43]. The two party key distribution problem is studied in the computational setting in [14, ... |