Broadcast Secret-Sharing, Bounds and Applications

Consider a sender ? and a group of n recipients. ? holds a secret message ? of length l bits and the goal is to allow ? to create a secret sharing of ? with privacy threshold t among the recipients, by broadcasting a single message ? to the recipients. Our goal is to do this with information theoretic security in a model with a simple form of correlated randomness. Namely, for each subset ? of recipients of size q, ? may share a random key with all recipients in ?. (The keys shared with different subsets ? must be independent.) We call this Broadcast Secret-Sharing (BSS) with parameters l, n, t and q. Our main question is: how large must ? be, as a function of the parameters? We show that (n-t)/q l is a lower bound, and we show an upper bound of ((n(t+1)/(q+t)) -t)l, matching the lower bound whenever t = 0, or when q = 1 or n-t. When q = n-t, the size of ? is exactly l which is clearly minimal. The protocol demonstrating the upper bound in this case requires ? to share a key with every subset of size n-t. We show that this overhead cannot be avoided when ? has minimal size. We also show that if access is additionally given to an idealized PRG, the lower bound on ciphertext size becomes (n-t)/q ? + l - negl(?) (where ? is the length of the input to the PRG). The upper bound becomes ((n(t+1))/(q+t) -t)? + l. BSS can be applied directly to secret-key threshold encryption. We can also consider a setting where the correlated randomness is generated using computationally secure and non-interactive key exchange, where we assume that each recipient has an (independently generated) public key for this purpose. In this model, any protocol for non-interactive secret sharing becomes an ad hoc threshold encryption (ATE) scheme, which is a threshold encryption scheme with no trusted setup beyond a PKI. Our upper bounds imply new ATE schemes, and our lower bound becomes a lower bound on the ciphertext size in any ATE scheme that uses a key exchange functionality and no other cryptographic primitives

Turning HATE into LOVE: compact homomorphic ad hoc threshold encryption for scalable MPC

In a public-key threshold encryption scheme, the sender produces a single ciphertext, and any +1 out of intended recipients can combine their partial decryptions to obtain the plaintext. Ad hoc threshold encryption (ATE) schemes require no correlated setup, enabling each party to simply generate its own key pair. In this paper, we initiate a systematic study of the possibilities and limitations of ad-hoc threshold encryption, and introduce a key application to scalable multiparty computation (MPC). Assuming indistinguishability obfuscation (iO), we construct the first ATE that is sender-compact—that is, with ciphertext length independent of . This allows for succinct communication once public keys have been shared. We also show a basic lower bound on the extent of key sharing: every sender-compact scheme requires that recipients of a message know the public keys of other recipients in order to decrypt. We then demonstrate that threshold encryption that is ad hoc and homomorphic can be used to build efficient large-scale fault-tolerant multiparty computation (MPC) on a minimal (star) communication graph. We explore several homomorphic schemes, in particular obtaining one iO-based ATE scheme that is both sender-compact and homomorphic: each recipient can derive what they need for evaluation from a single short ciphertext. In the resulting MPC protocol, once the public keys have been distributed, all parties in the graph except for the central server send and receive only short messages, whose size is independent of the number of participants. Taken together, our results chart new possibilities for threshold encryption and raise intriguing open questions.Accepted manuscrip

Data Sharing on Untrusted Storage with Attribute-Based Encryption

Storing data on untrusted storage makes secure data sharing a challenge issue. On one hand, data access policies should be enforced on these storage servers; on the other hand, confidentiality of sensitive data should be well protected against them. Cryptographic methods are usually applied to address this issue -- only encrypted data are stored on storage servers while retaining secret key(s) to the data owner herself; user access is granted by issuing the corresponding data decryption keys. The main challenges for cryptographic methods include simultaneously achieving system scalability and fine-grained data access control, efficient key/user management, user accountability and etc. To address these challenge issues, this dissertation studies and enhances a novel public-key cryptography -- attribute-based encryption (ABE), and applies it for fine-grained data access control on untrusted storage. The first part of this dissertation discusses the necessity of applying ABE to secure data sharing on untrusted storage and addresses several security issues for ABE. More specifically, we propose three enhancement schemes for ABE: In the first enhancement scheme, we focus on how to revoke users in ABE with the help of untrusted servers. In this work, we enable the data owner to delegate most computation-intensive tasks pertained to user revocation to untrusted servers without disclosing data content to them. In the second enhancement scheme, we address key abuse attacks in ABE, in which authorized but malicious users abuse their access privileges by sharing their decryption keys with unauthorized users. Our proposed scheme makes it possible for the data owner to efficiently disclose the original key owner\u27s identity merely by checking the input and output of a suspicious user\u27s decryption device. Our third enhancement schemes study the issue of privacy preservation in ABE. Specifically, our proposed schemes hide the data owner\u27s access policy not only to the untrusted servers but also to all the users. The second part presents our ABE-based secure data sharing solutions for two specific applications -- Cloud Computing and Wireless Sensor Networks (WSNs). In Cloud Computing cloud servers are usually operated by third-party providers, which are almost certain to be outside the trust domain of cloud users. To secure data storage and sharing for cloud users, our proposed scheme lets the data owner (also a cloud user) generate her own ABE keys for data encryption and take the full control on key distribution/revocation. The main challenge in this work is to make the computation load affordable to the data owner and data consumers (both are cloud users). We address this challenge by uniquely combining various computation delegation techniques with ABE and allow both the data owner and data consumers to securely mitigate most computation-intensive tasks to cloud servers which are envisaged to have unlimited resources. In WSNs, wireless sensor nodes are often unattendedly deployed in the field and vulnerable to strong attacks such as memory breach. For securing storage and sharing of data on distributed storage sensor nodes while retaining data confidentiality, sensor nodes encrypt their collected data using ABE public keys and store encrypted data on storage nodes. Authorized users are given corresponding decryption keys to read data. The main challenge in this case is that sensor nodes are extremely resource-constrained and can just afford limited computation/communication load. Taking this into account we divide the lifetime of sensor nodes into phases and distribute the computation tasks into each phase. We also revised the original ABE scheme to make the overhead pertained to user revocation minimal for sensor nodes. Feasibility of the scheme is demonstrated by experiments on real sensor platforms

Contributions to secret sharing and other distributed cryptosystems

The present thesis deals with primitives related to the eld of distributed cryptography. First, we study signcryption schemes, which provide at the same time the functionalities of encryption and signature, where the unsigncryption operation is distributed. We consider this primitive from a theoretical point of view and set a security framework for it. Then, we present two signcryption schemes with threshold unsigncryption, with di erent properties. Furthermore, we use their authenticity property to apply them in the development of a di erent primitive: digital signatures with distributed veri cation. The second block of the thesis deals with the primitive of multi-secret sharing schemes. After stating some e ciency limitations of multi-secret sharing schemes in an information-theoretic scenario, we present several multi-secret sharing schemes with provable computational security. Finally, we use the results in multi-secret sharing schemes to generalize the traditional framework of distributed cryptography (with a single policy of authorized subsets) into a multipolicy setting, and we present both a multi-policy distributed decryption scheme and a multi-policy distributed signature scheme. Additionally, we give a short outlook on how to apply the presented multi-secret sharing schemes in the design of other multi-policy cryptosystems, like the signcryption schemes considered in this thesis. For all the schemes proposed throughout the thesis, we follow the same formal structure. After de ning the protocols of the primitive and the corresponding security model, we propose the new scheme and formally prove its security, by showing a reduction to some computationally hard mathematical problem.Avui en dia les persones estan implicades cada dia més en diferents activitats digitals tant en la seva vida professional com en el seu temps lliure. Molts articles de paper, com diners i tiquets, estan sent reemplaçats més i més per objectes digitals. La criptografia juga un paper crucial en aquesta transformació, perquè proporciona seguretat en la comunicació entre els diferents participants que utilitzen un canal digital. Depenent de la situació específica, alguns requisits de seguretat en la comunicació poden incloure privacitat (o confidencialitat), autenticitat, integritat o no-repudi. En algunes situacions, repartir l'operació secreta entre un grup de participants fa el procés més segur i fiable que quan la informació secreta està centralitzada en un únic participant; la criptografia distribuïda és l’àrea de la criptografia que estudia aquestes situacions. Aquesta tesi tracta de primitives relacionades amb el camp de la criptografia distribuïda. Primer, estudiem esquemes “signcryption”, que ofereixen a la vegada les funcionalitats de xifrat i signatura, on l'operació de “unsigncryption” està distribuïda. Considerem aquesta primitiva des d’un punt de vista teòric i establim un marc de seguretat per ella. Llavors, presentem dos esquemes “signcryption” amb operació de “unsigncryption” determinada per una estructura llindar, cada un amb diferents propietats. A més, utilitzem la seva propietat d’autenticitat per desenvolupar una nova primitiva: signatures digitals amb verificació distribuïda. El segon bloc de la tesi tracta la primitiva dels esquemes de compartició de multi-secrets. Després de demostrar algunes limitacions en l’eficiència dels esquemes de compartició de multi-secrets en un escenari de teoria de la informació, presentem diversos esquemes de compartició de multi-secrets amb seguretat computacional demostrable. Finalment, utilitzem els resultats obtinguts en els esquemes de compartició de multi-secrets per generalitzar el paradigma tradicional de la criptografia distribuïda (amb una única política de subconjunts autoritzats) a un marc multi-política, i presentem un esquema de desxifrat distribuït amb multi-política i un esquema de signatura distribuïda amb multi-política. A més, donem indicacions de com es poden aplicar els nostres esquemes de compartició de multi-secrets en el disseny d’altres criptosistemes amb multi-política, com per exemple els esquemes “signcryption” considerats en aquesta tesi. Per tots els esquemes proposats al llarg d’aquesta tesi, seguim la mateixa estructura formal. Després de definir els protocols de la primitiva primitius i el model de seguretat corresponent, proposem el nou esquema i demostrem formalment la seva seguretat, mitjançant una reducció a algun problema matemàtic computacionalment difícil

Extended Access Structures and Their Cryptographic Applications

In secret sharing schemes a secret is distributed among a set of users $\mathcal{P}$ in such a way that only some sets, the authorized sets, can recover it. The family $\Gamma$ of authorized sets is called access structure. Given such a monotone family $\Gamma \subset 2^\P$, we introduce the concept of \emph{extended access structures}, defined over a larger set $\P\u27 = \P \cup \tilde{\P}$, satisfying these two properties: (1) the set $\P$ is a minimal subset of $\Gamma\u27$, i.e. $\P - \{R_i\} \notin \Gamma\u27$ for every $R_i \in \P$, (2) a subset $A \subset \P$ is in $\Gamma$ if and only if the subset $A \cup \tilde{\P}$ is in $\Gamma\u27$. As our first contribution, we give an explicit construction of an extended access structure $\Gamma\u27$ starting from a vector space access structure $\Gamma$, and we prove that $\Gamma\u27$ is also vector space. Our second contribution is to show that the concept of extended access structure can be used to design encryption schemes which involve access structures that are chosen ad-hoc at the time of encryption. Specifically, we design and analyze a dynamic distributed encryption scheme and a ciphertext-policy attribute-based encryption scheme. In some cases, the new schemes enjoy better properties than the existing ones

Optimal subset-difference broadcast encryption with free riders

Cataloged from PDF version of article.Broadcast encryption (BE) deals with secure transmission of a message to a group of receivers such that only an authorized subset of receivers can decrypt the message. The transmission cost of a BE system can be reduced considerably if a limited number of free riders can be tolerated in the system. in this paper, we study the problem of how to optimally place a given number of free riders in a subset-difference (SD)-based BE system, which is currently the most efficient BE scheme in use and has also been incorporated in standards, and we propose a polynomial-time optimal placement algorithm and three more efficient heuristics for this problem. Simulation experiments show that SD-based BE schemes can benefit significantly from the proposed algorithms. (C) 2009 Elsevier Inc. All rights reserved

Dynamic Threshold Public-Key Encryption

The original publication is available at www.springerlink.comInternational audienceThis paper deals with threshold public-key encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; the sender can dynamically choose the authorized set of recipients, for each ciphertext; and the sender can dynamically set the threshold t for decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a. threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts

Ad Hoc (Decentralized) Broadcast, Trace, and Revoke

Traitor tracing schemes [Chor–Fiat–Naor, Crypto ’94] help content distributors fight against piracy and are defined with the content distributor as a trusted authority having access to the secret keys of all users. While the traditional model caters well to its original motivation, its centralized nature makes it unsuitable for many scenarios. For usage among mutually untrusted parties, a notion of *ad hoc* traitor tracing (naturally with the capability of broadcast and revocation) is proposed and studied in this work. Such a scheme allows users in the system to generate their own public/secret key pairs, without trusting any other entity. To encrypt, a list of public keys is used to identify the set of recipients, and decryption is possible with a secret key for any of the public keys in the list. In addition, there is a tracing algorithm that given a list of recipients’ public keys and a pirate decoder capable of decrypting ciphertexts encrypted to them, identifies at least one recipient whose secret key must have been used to construct the said decoder. Two constructions are presented. The first is based on obfuscation and has constant-size ciphertext, yet its decryption time is linear in the number of recipients. The second is a generic transformation that reduces decryption time at the cost of increased ciphertext size. A lower bound on the trade-off between ciphertext size and decryption time is shown, indicating that the two constructions achieve all possible optimal trade-offs, i.e., they fully demonstrate the Pareto front of efficiency. The lower bound also applies to broadcast encryption and is of independent interest