11 research outputs found
Remarks on the Cryptographic Primitive of Attribute-based Encryption
Attribute-based encryption (ABE) which allows users to encrypt and decrypt
messages based on user attributes is a type of one-to-many encryption. Unlike
the conventional one-to-one encryption which has no intention to exclude any
partners of the intended receiver from obtaining the plaintext, an ABE system
tries to exclude some unintended recipients from obtaining the plaintext
whether they are partners of some intended recipients. We remark that this
requirement for ABE is very hard to meet. An ABE system cannot truly exclude
some unintended recipients from decryption because some users can exchange
their decryption keys in order to maximize their own interests. The flaw
discounts the importance of the cryptographic primitive.Comment: 9 pages, 4 figure
A Tunable Broadcast Encryption Scheme
In this paper, we describe yet another broadcast encryption scheme
for stateless receivers. The main difference between our scheme and
the classical schemes derived from the complete subtree and its
subsequent improvements is that in our scheme the group management
is based upon a more adaptable data structure. In these classical
schemes, users must be spread on a tree structure where each
level of the tree is associated to some distinguishing property of
the users. The fact that the underlying data structure is a fixed
tree is a strong limitation for some applications where an operator
wants to select users very dynamically following criterions with
changing levels of priority. Our scheme may be thought as if in the
complete subtree it would be possible to exchange the different
level of the tree in order to make it very efficient to revoke or
select a class of users. It is also very efficient in the cases
where there exists very unbalanced groups of users.
This scheme allows one to select or revoke users by sending
ciphertexts of linear size with respect to the number of groups
which is in general far less than the number of users. Moreover, by
using a specific group repartition, it is possible to recover a tree
structure in order to apply the classical methods which guarantee
that our scheme is in general as efficient as a usual ones.
We prove that our scheme is fully collusion secure in the generic
group with pairing model
Public Key Broadcast Encryption with Low Number of Keys and Constant Decryption Time (Version 2)
In this paper we propose two public key BE schemes that
have efficient complexity measures.
The first scheme, called the PBE-PI scheme, has
header size, public keys and private
keys per user, where is the number of revoked users.
This is the first public key BE scheme that has both public
and private keys under while the header size is
.
These complexity measures match those of efficient
secret key BE schemes.
\par
Our second scheme, called the PBE-SD-PI scheme, has
header size, public key and private
keys per user also.
However, its decryption time is remarkably .
This is the first public key BE scheme that has
decryption time while other complexity measures are kept
low.
Overall, this is the most efficient public key BE scheme up to now.
\par
Our basic schemes are one-way secure against {\em full
collusion of revoked users} in the random oracle model
under the BDH assumption.
We modify our schemes to have indistinguishably security
against adaptive chosen ciphertext attacks
BROADCAST ENCRYPTION
We propose a new broadcast encryption scheme based on the
idea of `one key per each punctured interval\u27. Let and be
the numbers of total users and revoked users, respectively. In our
scheme with -punctured -intervals, the transmission overhead
is asymptotically {\normalsize} as grows. We
also introduce two variants of our scheme to improve the
efficiency for small . Our scheme is very flexible with two
parameters and . We may take as large as possible if a
user device allows a large key storage, and set as small as
possible if the storage size and the computing power is limited.
Our scheme also possesses another remarkable feature that any
number of new users can join at any time without key refreshment,
which is not possible in other known practical schemes
Dynamic Threshold Public-Key Encryption
The original publication is available at www.springerlink.comInternational audienceThis paper deals with threshold public-key encryption which allows a pool of players to decrypt a ciphertext if a given threshold of authorized players cooperate. We generalize this primitive to the dynamic setting, where any user can dynamically join the system, as a possible recipient; the sender can dynamically choose the authorized set of recipients, for each ciphertext; and the sender can dynamically set the threshold t for decryption capability among the authorized set. We first give a formal security model, which includes strong robustness notions, and then we propose a candidate achieving all the above dynamic properties, that is semantically secure in the standard model, under a new non-interactive assumption, that fits into the general Diffie-Hellman exponent framework on groups with a bilinear map. It furthermore compares favorably with previous proposals, a.k.a. threshold broadcast encryption, since this is the first threshold public-key encryption, with dynamic authorized set of recipients and dynamic threshold that provides constant-size ciphertexts
Cryptanalysis of Bohio et al.\u27s ID-Based Broadcast Signcryption (IBBSC) Scheme for Wireless Ad-hoc Networks
Broadcast signcryption enables the broadcaster to simultaneously encrypt and sign the content meant for a specific set of users in a single logical step. It provides a very efficient solution to the dual problem of achieving confidentiality and authentication during content distribution. Among other alternatives, ID-based schemes are arguably the best suited for its implementation in wireless ad-hoc networks because of the unique advantage that they provide - any unique, publicly available parameter of a user can be his public key, which eliminates the need for a complex public key infrastructure. In 2004, Bohio et al. [4] proposed an ID-based broadcast signcryption (IBBSC) scheme which achieves constant ciphertext size. They claim that their scheme provides both message authentication and confidentiality, but do not give formal proofs. In this paper, we demonstrate how a legitimate user of the scheme can forge a valid signcrypted ciphertext, as if generated by the broadcaster. Moreover, we show that their scheme is not IND-CCA secure. Following this, we propose a fix for Bohio et al.\u27s scheme, and formally prove its security under the strongest existing security models for broadcast signcryption (IND-CCA2 and EUF-CMA). While fixing the scheme, we also improve its efficiency by reducing the ciphertext size to two elements compared to three in [4]
Solutions and Tools for Secure Communication in Wireless Sensor Networks
Secure communication is considered a vital requirement in Wireless Sensor Network (WSN) applications. Such a requirement embraces different aspects, including confidentiality, integrity and authenticity of exchanged information, proper management of security material, and effective prevention and reaction against security threats and attacks. However, WSNs are mainly composed of resource-constrained devices. That is, network nodes feature reduced capabilities, especially in terms of memory storage, computing power, transmission rate, and energy availability.
As a consequence, assuring secure communication in WSNs results to be more difficult than in other kinds of network. In fact, trading effectiveness of adopted solutions with their efficiency becomes far more important. In addition, specific device classes or technologies may require to design ad hoc security solutions. Also, it is necessary to efficiently manage security material, and dynamically cope with changes of security requirements. Finally, security threats and countermeasures have to be carefully considered since from the network design phase.
This Ph.D. dissertion considers secure communication in WSNs, and provides the following contributions. First, we provide a performance evaluation of IEEE 802.15.4 security services. Then, we focus on the ZigBee technology and its security services, and propose possible solutions to some deficiencies and inefficiencies. Second, we present HISS, a highly scalable and efficient key management scheme, able to contrast collusion attacks while displaying a graceful degradation of performance. Third, we present STaR, a software component for WSNs that secures multiple traffic flows at the same time. It is transparent to the application, and provides runtime reconfigurability, thus coping with dynamic changes of security requirements. Finally, we describe ASF, our attack simulation framework for WSNs. Such a tool helps network designers to quantitatively evaluate effects of security attacks, produce an attack ranking based on their severity, and thus select the most appropriate countermeasures
Low Overhead Broadcast Encryption from Multilinear Maps
We use multilinear maps to provide a solution to the long-standing problem of public-key broadcast encryption where all parameters in the system are small. In our constructions, ciphertext overhead, private key size, and public key size are all poly-logarithmic in the total number of users. The systems are fully secure against any number of colluders. All our systems are based on an O(logN)-way multilinear map to support a broadcast system for N users. We present three constructions based on different types of multilinear maps and providing different security guarantees. Our systems naturally give identity-based broadcast systems with short parameters.
Contributions to Identity-Based Broadcast Encryption and Its Anonymity
Broadcast encryption was introduced to improve the efficiency of encryption when a message should be sent to or shared with a group of users. Only the legitimate users chosen in the encryption phase are able to retrieve the message. The primary challenge in construction a broadcast encryption scheme is to achieve collusion resistance such that the unchosen users learn nothing about the content of the encrypted message even they collude
Efficient Tree-Based Revocation in Groups of Low-State Devices
Abstract. We study the problem of broadcasting confidential information to a collection of n devices while providing the ability to revoke an arbitrary subset of those devices (and tolerating collusion among the revoked devices). In this paper, we restrict our attention to low-memory devices, that is, devices that can store at most O(log n) keys. We consider solutions for both zero-state and low-state cases, where such devices are organized in a tree structure T. We allow the group controller to encrypt broadcasts to any subtree of T,evenifthetreeisbasedonanmulti-way organizational chart or a severely unbalanced multicast tree.