Results 1  10
of
41
Sequences of Games: A Tool for Taming Complexity in Security Proofs
, 2004
"... This paper is brief tutorial on a technique for structuring security proofs as sequences games. ..."
Abstract

Cited by 164 (0 self)
 Add to MetaCart
This paper is brief tutorial on a technique for structuring security proofs as sequences games.
Publickey broadcast encryption for stateless receivers
 In Digital Rights Management — DRM ’02, volume 2696 of LNCS
, 2002
"... A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated thro ..."
Abstract

Cited by 53 (6 self)
 Add to MetaCart
(Show Context)
A broadcast encryption scheme allows the sender to securely distribute data to a dynamically changing set of users over an insecure channel. One of the most challenging settings for this problem is that of stateless receivers, where each user is given a fixed set of keys which cannot be updated through the lifetime of the system. This setting was considered by Naor, Naor and Lotspiech [NNL01], who also present a very efficient “subset difference ” (SD) method for solving this problem. The efficiency of this method (which also enjoys efficient traitor tracing mechanism and several other useful features) was recently improved by Halevi and Shamir [HS02], who called their refinement the “Layered SD ” (LSD) method. Both of the above methods were originally designed to work in the centralized symmetric key setting, where only the trusted designer of the system can encrypt messages to users. On the other hand, in many applications it is desirable not to store the secret keys “online”, or to allow untrusted users to broadcast information. This leads to the question of building a public key broadcast encryption scheme for stateless receivers; in particular, of extending the elegant SD/LSD methods to the public key setting. Naor et al. [NNL01] notice that the natural technique for doing so will result in an enormous public key and very large storage for every user. In fact, [NNL01] pose this question of reducing the public key size and user’s storage as the first open problem of their paper. We resolve this question in the affirmative, by demonstrating that an O(1) size public key can be achieved for both of SD/LSD methods, in addition to the same (small) user’s storage and ciphertext size as in the symmetric key setting. 1
IDBased Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption
 In CCS ’04: Proceedings of the 11th ACM conference on Computer and communications security
, 2004
"... A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secre ..."
Abstract

Cited by 40 (8 self)
 Add to MetaCart
A forwardsecure encryption scheme protects secret keys from exposure by evolving the keys with time. Forward security has several unique requirements in hierarchical identitybased encryption (HIBE) scheme: (1) users join dynamically; (2) encryption is joiningtimeoblivious; (3) users evolve secret keys autonomously. We present a scalable forwardsecure HIBE (fsHIBE) scheme satisfying the above properties. We also show how our fsHIBE scheme can be used to construct a forwardsecure publickey broadcast encryption scheme, which protects the secrecy of prior transmissions in the broadcast encryption setting. We further generalize fsHIBE into a collusionresistant multiple hierarchical IDbased encryption scheme, which can be used for secure communications with entities having multiple roles in rolebased access control. The security of our schemes is based on the bilinear DiffieHellman assumption in the random oracle model. 1
Efficient Multireceiver IdentityBased Encryption and Its Application to Broadcast Encryption
 In Proc. of PKC’05, LNCS
, 2005
"... In this paper, we construct an efficient “multireceiver identitybased encryption scheme”. Our scheme only needs one (or none if precomputed and provided as a public parameter) pairing computation to encrypt a single message for n receivers, in contrast to the simple construction that reencrypts a ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
In this paper, we construct an efficient “multireceiver identitybased encryption scheme”. Our scheme only needs one (or none if precomputed and provided as a public parameter) pairing computation to encrypt a single message for n receivers, in contrast to the simple construction that reencrypts a message n times using Boneh and Franklin’s identitybased encryption scheme, considered previously in the literature. We extend our scheme to give adaptive chosen ciphertext security. We support both schemes with security proofs under precisely defined formal security model. Finally, we discuss how our scheme can lead to a highly efficient public key broadcast encryption scheme based on the “subsetcover ” framework. 1
Scalable publickey tracing and revoking
, 2005
"... Traitor tracing schemes constitute a useful tool against piracy in the context of digital content distribution. They are encryption schemes that can be employed by content providers that wish to deliver content to an exclusive set of users. Each user holds a decryption key that is fingerprinted and ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
(Show Context)
Traitor tracing schemes constitute a useful tool against piracy in the context of digital content distribution. They are encryption schemes that can be employed by content providers that wish to deliver content to an exclusive set of users. Each user holds a decryption key that is fingerprinted and bound to his identity. When a pirate decoder is discovered, it is possible to trace the identities of the users that contributed to its construction. In most settings, both the user population and the set of content providers are dynamic, thus scalable user management and scalable provider management are crucial. Previous work on publickey traitor tracing did not address the dynamic scenario thoroughly: no efficient scalable publickey traitor tracing scheme has been proposed, in which the populations of providers and users can change dynamically over time without incurring substantial penalty in terms of system performance and management complexity. To address these issues, we introduce a formal model for Scalable PublicKey Traitor Tracing, and present the first construction of such a scheme. Our model mandates for deterministic traitor tracing and unlimited number of efficient provider and user management operations. We present a formal adversarial model for our system and we prove our construction secure, against both adversaries that attempt to cheat the provider and user management mechanism, and adversaries that attempt to cheat the traitor tracing mechanism.
Extracting Group Signatures from Traitor Tracing Schemes
 In Eurocrypt 2003, LNCS
, 2003
"... Abstract. Digital Signatures emerge naturally from PublicKey Encryption based on trapdoor permutations, and the “duality ” of the two primitives was noted as early as DiffieHellman’s seminal work. The present work is centered around the crucial observation that two well known cryptographic primiti ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
Abstract. Digital Signatures emerge naturally from PublicKey Encryption based on trapdoor permutations, and the “duality ” of the two primitives was noted as early as DiffieHellman’s seminal work. The present work is centered around the crucial observation that two well known cryptographic primitives whose connection has not been noticed so far in the literature enjoy an analogous “duality. ” The primitives are Group Signature Schemes and PublicKey Traitor Tracing. Based on the observed “duality, ” we introduce new design methodologies for group signatures that convert a traitor tracing scheme into its “dual ” group signature scheme. Our first methodology applies to generic publickey traitor tracing schemes. We demonstrate its power by applying it to the BonehFranklin scheme, and obtaining its “dual ” group signature. This scheme is the first provably secure group signature scheme whose signature size is not proportional to the size of the group and is based only on DDH and a random oracle. The existence of such schemes was open. Our second methodology introduces a generic way of turning any group signature scheme with signature size linear in the group size into a group signature scheme with only logarithmic dependency on the group size. To this end it employs the notion of traceability codes (a central component of combinatorial traitor tracing schemes already used in the first such scheme by Chor, Fiat and Naor). We note that our signatures, obtained by generic transformations, are proportional to a bound on the anticipated maximum malicious coalition size. Without the random oracle assumption our schemes give rise to provably secure and efficient Identity Escrow schemes. 1
An efficient public key trace and revoke scheme secure against adaptive chosen ciphertext attack
 In Advances in Cryptology — Asiacrypt 2003, volume 2894 of LNCS
, 2003
"... Abstract. We propose a new public key trace and revoke scheme secure against adaptive chosen ciphertext attack. Our scheme is more efficient than the DF scheme suggested by Y. Dodis and N. Fazio[9]. Our scheme reduces the length of enabling block of the DF scheme by (about) half. Additionally, the c ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We propose a new public key trace and revoke scheme secure against adaptive chosen ciphertext attack. Our scheme is more efficient than the DF scheme suggested by Y. Dodis and N. Fazio[9]. Our scheme reduces the length of enabling block of the DF scheme by (about) half. Additionally, the computational overhead of the user is lower than that of the DF scheme; instead, the computational overhead of the server is increased. The total computational overhead of the user and the server is the same as that of the DF scheme, and therefore, our scheme is more practical, since the computing power of the user is weaker than that of the server in many applications. In addition, our scheme is secure against adaptive chosen ciphertext attack under only the decision DiffieHellman (DDH) assumption and the collisionresistant hash function H assumption, whereas the DF scheme also needs the onetime MAC (message authentication code) assumption. 1
Building Efficient Fully CollusionResilient Traitor Tracing and Revocation Schemes
"... Abstract. In [8, 9] Boneh et al. presented the first fully collusionresistant traitor tracing and trace & revoke schemes. These schemes are based on composite order bilinear groups and their security depends on the hardness of the subgroup decision assumption. In this paper we present new, effi ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
Abstract. In [8, 9] Boneh et al. presented the first fully collusionresistant traitor tracing and trace & revoke schemes. These schemes are based on composite order bilinear groups and their security depends on the hardness of the subgroup decision assumption. In this paper we present new, efficient trace & revoke schemes which are based on prime order bilinear groups, and whose security depend on the hardness of the Decisional Linear Assumption or the External DiffieHellman (XDH) assumption. This allows our schemes to be flexible and thus much more efficient than existing schemes in terms a variety of parameters including ciphertext size, encryption time, and decryption time. For example, if encryption time was the major parameter of concern, then for the same level of practical security as [8] our scheme encrypts 6 times faster. Decryption is 10 times faster. The ciphertext size in our scheme is 50 % less when compared to [8]. We provide the first implementations of efficient fully collusionresilient traitor tracing and trace & revoke schemes. The ideas used in this paper can be used to make other cryptographic schemes based on composite order bilinear groups efficient as well. 1
Traitor Tracing with Constant Size Ciphertext
, 2008
"... A traitor tracing system enables a publisher to trace a pirate decryption box to one of the secret keys used to create the box. We present the first traitor tracing system where ciphertext size is “constant, ” namely independent of the number of users in the system and the collusion bound. A ciphert ..."
Abstract

Cited by 10 (1 self)
 Add to MetaCart
(Show Context)
A traitor tracing system enables a publisher to trace a pirate decryption box to one of the secret keys used to create the box. We present the first traitor tracing system where ciphertext size is “constant, ” namely independent of the number of users in the system and the collusion bound. A ciphertext in our system consists of only two elements where the length of each element depends only on the security parameter. The down side is that privatekey size is quadratic in the collusion bound. Our construction is based on recent constructions for fingerprinting codes. 1
Kresilient identitybased encryption in the standard model
 In Topics in Cryptology CTRSA 2004
, 2004
"... Abstract. We present and analyze an adaptive chosen ciphertext secure (INDCCA) identitybased encryption scheme (IBE) based on the well studied Decisional DiffieHellman (DDH) assumption. The scheme is provably secure in the standard model assuming the adversary can corrupt up to a maximum of k use ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
Abstract. We present and analyze an adaptive chosen ciphertext secure (INDCCA) identitybased encryption scheme (IBE) based on the well studied Decisional DiffieHellman (DDH) assumption. The scheme is provably secure in the standard model assuming the adversary can corrupt up to a maximum of k users adaptively. This is contrary to the BonehFranklin scheme which holds in the randomoracle model. Key words: identitybased encryption, standard model 1