Generic Construction of Trace and Revoke Schemes

Broadcast encryption (BE) is a cryptographic primitive that allows a broadcaster to encrypt digital content to a privileged set of users and in this way prevent revoked users from accessing the content. In BE schemes, a group of users, called traitor s may leak their keys and enable an adversary to receive the content. Such malicious users can be detected through traitor tracing (TT) schemes. The ultimate goal in a content distribution system would be combining traitor tracing and broadcast encryption (resulting in a trace and revoke system) so that any receiver key found to be compromised in a tracing process would be revoked from future transmissions. In this paper, we propose a generic method to transform a broadcast encryption scheme into a trace and revoke scheme. This transformation involves the utilization of a fingerprinting code over the underlying BE transmission. While fingerprinting codes have been used for constructing traitor tracing schemes in the past, their usage has various shortcomings such as the increase of the public key size with a linear factor in the length of the code. Instead, we propose a novel way to apply fingerprinting codes that allows for efficient parameters while retaining the traceability property. Our approach is based on a new property of fingerprinting codes we introduce, called public samplability. We have instantiated our generic transformation with the BE schemes of [4, 13, 20] something that enables us to produce trace and revoke schemes with novel properties. Specifically, we show (i) a trace and revoke scheme with constant private key size and short ciphertext size, (ii) the first ID-based trace and revoke scheme, (iii) the first publicly traceable scheme with constant private key size and (iv) the first trace and revoke scheme against pirate rebroadcasting attack in the public key setting

Provably Secure ID-Based Broadcast Signcryption (IBBSC) Scheme

With the advent of mobile and portable devices such as cell phones and PDAs, wireless content distribution has become a major means of communications and entertainment. In such applications, a central authority needs to deliver encrypted data to a large number of recipients in such a way that only a privileged subset of users can decrypt it. A broadcasting news channel may face this problem, for example, when a large number of people subscribe to a daily exclusive news feature. This is exactly the kind of problem that \textit{broadcast encryption} attempts to efficiently solve. On top of this, especially in the current digital era, junk content or spam is a major turn off in almost every Internet application. If all the users who subscribe to the news feed receive meaningless noise or any unwanted content, then the broadcaster is going to lose them. This results in the additional requirement that subscribers have source authentication with respect to their broadcaster. \textit{Broadcast signcryption}, which enables the broadcaster to simultaneously encrypt and sign the content meant for a specific set of users in a single logical step, provides the most efficient solution to the dual problem of confidentiality and authentication. Efficiency is a major concern, because mobile devices have limited memory and computational power and wireless bandwidth is an extremely costly resource. While several alternatives exist in implementing broadcast signcryption schemes, identity-based (ID-based) schemes are arguably the best suited because of the unique advantage that they provide --- any unique, publicly available parameter of a user can be his public key, which eliminates the need for a complex public key infrastructure. In ASIAN 2004, Mu et al. \cite{MSLR04} propose what they call an ID-based authenticated broadcast encryption scheme, which is also a broadcast signcryption scheme, as the security goals are the same. They claim that their scheme provides message authentication and confidentiality and formally prove that the broadcaster\u27s secret is not compromised, but in this paper, we demonstrate that even without knowing the broadcaster\u27s secret, it is possible for a legal user to impersonate the broadcaster. We demonstrate this by mounting a universal forgeability attack --- any valid user, on receiving and decrypting a valid ciphertext from a broadcaster, can generate a valid ciphertext on any message on behalf of that broadcaster for the same set of legal receivers to which the broadcaster signcrypted the earlier message, without knowing any secrets. Following this, we propose a new ID-based broadcast signcryption (IBBSC) scheme, and formally prove its security under the strongest existing security models for broadcast signcryption (IND-CCA2 and EUF-CMA2)

Generic Constructions of RIBE via Subset Difference Method

Revocable identity-based encryption (RIBE) is an extension of IBE which can support a key revocation mechanism, and it is important when deploying an IBE system in practice. Boneh and Franklin (Crypto\u2701) presented the first generic construction of RIBE, however, their scheme is not scalable where the size of key updates is linear in the number of users in the system. The first generic construction of RIBE is presented by Ma and Lin with complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. Recently, Lee proposed a new generic construction using the subset difference (SD) method by combining IBE,identity-based revocation (IBR), and two-level HIBE schemes. In this paper, we present a new primitive called Identity-Based Encryption with Ciphertext Delegation (CIBE) and propose a generic construction of RIBE scheme via subset difference method using CIBE and HIBE as building blocks. CIBE is a special type of Wildcarded IBE (WIBE) and Identity-Based Broadcast Encryption (IBBE). Furthermore, we show that CIBE can be constructed from IBE in a black-box way. Instantiating the underlying building blocks with different concrete schemes, we can obtain a RIBE scheme with constant-size public parameter, ciphertext, private key and $O(r)$ key updates in the selective-ID model. Additionally, our generic RIBE scheme can be easily converted to a sever-aided RIBE scheme which is more suitable for lightweight devices

A New Cryptosystem Based On Hidden Order Groups

Let $G_1$ be a cyclic multiplicative group of order $n$. It is known that the Diffie-Hellman problem is random self-reducible in $G_1$ with respect to a fixed generator $g$ if $\phi(n)$ is known. That is, given $g, g^x\in G_1$ and having oracle access to a `Diffie-Hellman Problem' solver with fixed generator $g$, it is possible to compute $g^{1/x} \in G_1$ in polynomial time (see theorem 3.2). On the other hand, it is not known if such a reduction exists when $\phi(n)$ is unknown (see conjuncture 3.1). We exploit this ``gap'' to construct a cryptosystem based on hidden order groups and present a practical implementation of a novel cryptographic primitive called an \emph{Oracle Strong Associative One-Way Function} (O-SAOWF). O-SAOWFs have applications in multiparty protocols. We demonstrate this by presenting a key agreement protocol for dynamic ad-hoc groups.Comment: removed examples for multiparty key agreement and join protocols, since they are redundan

Key Management Building Blocks for Wireless Sensor Networks

Cryptography is the means to ensure data confidentiality, integrity and authentication in wireless sensor networks (WSNs). To use cryptography effectively however, the cryptographic keys need to be managed properly. First of all, the necessary keys need to be distributed to the nodes before the nodes are deployed in the field, in such a way that any two or more nodes that need to communicate securely can establish a session key. Then, the session keys need to be refreshed from time to time to prevent birthday attacks. Finally, in case any of the nodes is found to be compromised, the key ring of the compromised node needs to be revoked and some or all of the compromised keys might need to be replaced. These processes, together with the policies and techniques needed to support them, are called key management. The facts that WSNs (1) are generally not tamper-resistant; (2) operate unattended; (3) communicate in an open medium; (4) have no fixed infrastructure and pre-configured topology; (5) have severe hardware and resource constraints, present unique challenges to key management. In this article, we explore techniques for meeting these challenges. What distinguishes our approach from a routine literature survey is that, instead of comparing various known schemes, we set out to identify the basic cryptographic principles, or building blocks that will allow practitioners to set up their own key management framework using these building blocks

Quantum broadcast communication

Broadcast encryption allows the sender to securely distribute his/her secret to a dynamically changing group of users over a broadcast channel. In this paper, we just consider a simple broadcast communication task in quantum scenario, which the central party broadcasts his secret to multi-receiver via quantum channel. We present three quantum broadcast communication schemes. The first scheme utilizes entanglement swapping and Greenberger-Horne-Zeilinger state to realize a task that the central party broadcasts his secret to a group of receivers who share a group key with him. In the second scheme, based on dense coding, the central party broadcasts the secret to multi-receiver who share each of their authentication key with him. The third scheme is a quantum broadcast communication scheme with quantum encryption, which the central party can broadcast the secret to any subset of the legal receivers