Dynamic Threshold Public-Key Encryption

The original publication is available at www.springerlink.comInternational audienceThis paper deals with threshold public-key encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; the sender can dynamically choose the authorized set of recipients, for each ciphertext; and the sender can dynamically set the threshold t for decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a. threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts

CCA2-secure threshold broadcast encryption with shorter ciphertexts

Comunicació presentada a: ProvSec 2007: Provable Security First International Conference, celebrada de l'1 al 2 de novembre de 2007 a Wollongong, Austràlia.In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) a set of n receivers and a threshold t, and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. Previously proposed threshold broadcast encryption schemes have ciphertexts whose length is O(n). In this paper, we propose new schemes, for both PKI and identity-based scenarios, where the ciphertexts’ length is O(n − t). The construction uses secret sharing techniques and the Canetti-Halevi-Katz transformation to achieve chosen-ciphertext security. The security of our schemes is formally proved under the Decisional Bilinear Diffie-Hellman (DBDH) Assumption

CCA2-secure threshold broadcast encryption with shorter ciphertexts

Comunicació presentada a: ProvSec 2007: Provable Security First International Conference, celebrada de l'1 al 2 de novembre de 2007 a Wollongong, Austràlia.In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) a set of n receivers and a threshold t, and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. Previously proposed threshold broadcast encryption schemes have ciphertexts whose length is O(n). In this paper, we propose new schemes, for both PKI and identity-based scenarios, where the ciphertexts’ length is O(n − t). The construction uses secret sharing techniques and the Canetti-Halevi-Katz transformation to achieve chosen-ciphertext security. The security of our schemes is formally proved under the Decisional Bilinear Diffie-Hellman (DBDH) Assumption

CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts

Abstract In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) aset of n receivers and a threshold t, and then encrypts a message by using thepublic keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. Previously proposed thresholdbroadcast encryption schemes have ciphertexts whose length is O( n). In this pa-per, we propose new schemes, for both PKI and identity-based scenarios, where the ciphertexts ' length is O(n- t). The construction uses secret sharing tech-niques and the Canetti-Halevi-Katz transformation to achieve chosen-ciphertext security. The security of our schemes is formally proved under the DecisionalBilinear Diffie-Hellman (DBDH) Assumption