Revocable hierarchical identity-based encryption with shorter private keys and update keys

Revocable hierarchical identity-based encryption (RHIBE) is an extension of HIBE that supports the revocation of user’s private keys to manage the dynamic credentials of users in a system. Many different RHIBE schemes were proposed previously, but they are not efficient in terms of the private key size and the update key size since the depth of a hierarchical identity is included as a multiplicative factor. In this paper, we propose efficient RHIBE schemes with shorter private keys and update keys and small public parameters by removing this multiplicative factor. To achieve our goals, we first present a new HIBE scheme with the different generation of private keys such that a private key can be simply derived from a short intermediate private key. Next, we show that two efficient RHIBE schemes can be built by combining our HIBE scheme, an IBE scheme, and a tree based broadcast encryption scheme in a modular way.     

Establishing the broadcast efficiency of the Subset Difference Revocation Scheme

When an organisation chooses a system to make regular broadcasts to a changing user base, there is an inevitable trade off between the number of keys a user must store and the number of keys used in the broadcast. The Complete Subtree and Subset Difference Revocation Schemes were proposed as efficient solutions to this problem. However, all measurements of the broadcast size have been in terms of upper bounds on the worst-case. Also, the bound on the latter scheme is only relevant for small numbers of revoked users, despite the fact that both schemes allow any number of such users. Since the broadcast size can be critical for limited memory devices, we aid comparative analysis of these important techniques by establishing the worst-case broadcast size for both revocation schemes.      

On Some Methods for Unconditionally Secure Key Distribution and Broadcast Encryption

This paper provides an exposition of methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know. The problems are studied using the tools of information theory, so the security provided is unconditional (i.e., not based on any computational assumption).We begin by surveying some useful schemes for key distribution that have been presented in the literature, giving background and examples (but not too many proofs). In particular, we look more closely at the attractive concept of key distribution patterns, and present a new method for making these schemes more efficient through the use of resilient functions. Then we present a general approach to the construction of broadcast schemes that combines key predistribution schemes with secret sharing schemes. We discuss the Fiat-Naor Broadcast Scheme, as well as other, new schemes that can be constructed using this approach.     

Some New Results on Key Distribution Patterns and Broadcast Encryption

This paper concerns methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message. Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know. The problems are studied using the tools of information theory, so the security provided is unconditional (i.e., not based on any computational assumption).In a recent paper st95a, Stinson described a method of constructing key predistribution schemes by combining Mitchell-Piper key distribution patterns with resilient functions; and also presented a construction method for broadcast encryption schemes that combines Fiat-Naor key predistribution schemes with ideal secret sharing schemes. In this paper, we further pursue these two themes, providing several nice applications of these techniques by using combinatorial structures such as orthogonal arrays, perpendicular arrays, Steiner systems and universal hash families.     

A key-lock-pair oriented access control scheme for the growth of users and files

A new access control scheme for the growth of users and files in file protection systems is proposed. Our scheme associates each user with a user key and each file with a file key. For each key, there are some corresponding locks, that can be extracted from a nonsingular matrix. Through simple operations on keys and locks, privacy decisions of the protection system can easily be revealed. Furthermore, by employing our method, whenever a new user or file is joined, the corresponding key values and lock values will be determined immediately without changing any previously defined keys and locks.     

Anonymous Membership Broadcast Schemes

A membership broadcast scheme is a method by which a dealer broadcasts a secret identity among a set of users, in such a way that only a single user is sure that he is the intended recipient. Anonymous membership broadcast schemes have several applications, such as anonymous delegation, cheating prevention, etc. In a w-anonymous membership broadcast scheme any coalition of at most w users, which does not include the user chosen by the dealer, has no information about the identity of the chosen user. Wang and Pieprzyk proposed a combinatorial approach to 1-anonymous membership broadcast schemes. In particular, they proposed a 1-anonymous membership broadcast scheme offering a logarithmic complexity for both communication and storage. However, their result is non-constructive. In this paper, we consider w-anonymous membership broadcast schemes. First, we propose a formal model to describe such schemes and show lower bounds on the communication and randomness complexities of the schemes. Afterwards, we show that w-anonymous membership broadcast schemes can be constructed starting from (w + 1)-wise independent families of permutations. The communication and storage complexities of our schemes are logarithmic in the number of users.     

Efficient password authenticated key agreement using bilinear pairings

For providing a secure distributed computer environment, efficient and flexible user authentication and key agreement is very important. In addition to user authentication and key agreement, identity privacy is very useful for users. In this paper, we propose an efficient and flexible password authenticated key agreement scheme using bilinear pairings. The main merits include: (1) there is no need for any password or verification table in the server; (2) users can choose or change his own password freely; (3) both the server and a user can authenticate each other; (4) it can protect the user’s privacy; (5) the user and the server can generate a session key; (6) it does not have a serious synchronization-clock problem; (7) even if the secret information stored in a smart card is compromised, it can prevent the offline dictionary attack.     

An optimal algorithm to assign cryptographic keys in a tree structure for access control

In a computer communication system, there exists a possibility of two or more users collaborating to derive a key to which they are not entitled. Therefore, a method for ensuring the system is necessary. In this paper, we propose an efficient heuristic algorithm for assigning cryptographic keys among a group of users organized in a tree structure. Comparing with the existing assignment schemes, our scheme always produces economic cryptographic keys, which are smaller than the keys generated by the previous work in a tree structure.This work was supported in part by the National Science Council of the Republic of China under the grant NSC 81-0416-E-002-20.     

Efficient revocable identity-based encryption via subset difference methods

Providing an efficient revocation mechanism for identity-based encryption (IBE) is very important since a user’s credential (or private key) can be expired or revealed. revocable IBE (RIBE) is an extension of IBE that provides an efficient revocation mechanism. Previous RIBE schemes essentially use the complete subtree (CS) scheme of Naor, Naor and Lotspiech (CRYPTO 2001) for key revocation. In this paper, we present a new technique for RIBE that uses the efficient subset difference (SD) scheme of Naor et al. instead of using the CS scheme to improve the size of update keys. Following our new technique, we first propose an efficient RIBE scheme in prime-order bilinear groups by combining the IBE scheme of Boneh and Boyen and the SD scheme and prove its selective security under the standard assumption. Our RIBE scheme is the first RIBE scheme in bilinear groups that has O(r) number of group elements in an update key where r is the number of revoked users. Next, we also propose another RIBE scheme in composite-order bilinear groups and prove its full security under static assumptions. Our RIBE schemes also can be integrated with the layered subset difference scheme of Halevy and Shamir (CRYPTO 2002) to reduce the size of a private key.     

On the Use of RSA as a Secret Key Cryptosystem

One fundamental difference between the use of symmetric and publickey cryptosystems is that the former requires trust between sender and receiver. Typically they will share a secret key and neitherhas any protection from the other. However, many users are nowfinding that they want keys to be used for 'one purpose only'and are relying on hardware functionality to introduce the conceptof unidirectional keys for symmetric algorithms. (So, for instance,the hardware functionality might ensure that a key used for encryptingmessages from user A to user B cannot be used for encrypting messages in the opposite direction.) For public key systems this concept of unidirectional keys is automatically satisfied. However,when the encrypting key is made public, the exposure of this key means that the deciphering key is only safe from compromise when the keys are very large. If, on the other hand, both keys were kept secret then it might be possible to use much smallerkeys. In this paper we investigate ways of using the primitives of an RSA public key cryptosystem in a symmetric key 'setting'i.e. where neither key is made public.     

Unconditionally secure key assignment schemes

In this paper we propose an information-theoretic approach to the access control problem in a scenario where a group of users is divided into a number of disjoint classes. The set of rules that specify the information flow between different user classes in the system defines an access control policy. An access control policy can be implemented by using a key assignment scheme, where a trusted central authority (CA) assigns an encryption key and some private information to each class.We consider key assignment schemes where the key assigned to each class is unconditionally secure with respect to an adversary controlling a coalition of classes of a limited size. Our schemes are characterized by a security parameter r, the size of the adversary coalition. We show lower bounds on the size of the private information that each class has to store and on the amount of randomness needed by the CA to set up any key assignment scheme. Finally, we propose some optimal constructions for unconditionally secure key assignment schemes.     

A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares

We proposed a new public-key traitor tracing scheme with revocation capability using dynamic shares and entity revocation techniques. Our schemes traitor tracing and revocation programs cohere tightly. The size of the enabling block of our scheme is independent of the number of receivers. Each receiver holds one decryption key only. The distinct feature of our scheme is that when traitors are found, we can revoke their private keys (up to some threshold z) without updating the private keys of other receivers. In particular, no revocation messages are broadcast and all receivers do nothing. Previously proposed revocation schemes need update existing keys and entail large amount of broadcast messages. Our traitor tracing algorithm works in a black-box way. It is conceptually simple and fully k-resilient, that is, it can find all traitors if the number of them is k or less. The encryption algorithm of our scheme is semantically secure assuming that the decisional Diffie-Hellman problem is hard.AMS Classification: 11T71, 68P30     

Efficient identity-based encryption with Hierarchical key-insulation from HIBE

Hierarchical key-insulated identity-based encryption (HKIBE) is identity-based encryption (IBE) that allows users to update their secret keys to achieve (hierarchical) key-exposure resilience, which is an important notion in practice. However, existing HKIBE constructions have limitations in efficiency: sizes of ciphertexts and secret keys depend on the hierarchical depth. In this paper, we first triumph over the barrier by proposing simple but effective design methodologies to construct efficient HKIBE schemes. First, we show a generic construction from any hierarchical IBE (HIBE) scheme that satisfies a special requirement, called MSK evaluatability introduced by Emura et al. (Des. Codes Cryptography 89(7):1535–1574, 2021). It provides several new and efficient instantiations since most pairing-based HIBE schemes satisfy the requirement. It is worth noting that it preserves all parameters’ sizes of the underlying HIBE scheme, and hence we obtain several efficient HKIBE schemes under the k-linear assumption in the standard model. Since MSK evaluatability is dedicated to pairing-based HIBE schemes, the first construction restricts pairing-based instantiations. To realize efficient instantiation from various assumptions, we next propose a generic construction of an HKIBE scheme from any plain HIBE scheme. It is based on Hanaoka et al.’s HKIBE scheme (Asiacrypt 2005), and does not need any special properties. Therefore, we obtain new efficient instantiations from various assumptions other than pairing-oriented ones. Though the sizes of secret keys and ciphertexts are larger than those of the first construction, it is more efficient than Hanaoka et al.’s scheme in the sense of the sizes of master public/secret keys.

     

Generalized Fibonacci broadcasting: An efficient VOD scheme with user bandwidth limit

Broadcasting is attractive in delivering popular videos in video-on-demand service, because the server broadcast bandwidth is independent of the number of users. However, the required server bandwidth does depend on how much bandwidth each user can use, as well as on the user's initial waiting time. This paper addresses the issue of limiting the user bandwidth, and proposes a new broadcasting scheme, named Generalized Fibonacci Broadcasting (GFB). In terms of many performance graphs, we show that, for any given combination of the server bandwidth and user bandwidth, GFB can achieve the least waiting time among all the currently known fixed-delay broadcasting schemes. Furthermore, it is very easy to implement GFB. We also demonstrate that there is a trade-off between the user waiting time and the buffer requirement at the user.     

A Non-interactive Public-Key Distribution System

An identity-based non-interactive public key distribution system is presented that is based on a novel trapdoor one-way function allowing a trusted authority to compute the discrete logarithms modulo a publicly known composite number m while this is infeasible for an adversary not knowing the factorization of m. Without interaction with a key distribution center or with the recipient of a given message, a user can generate a mutual secure cipher key based solely on the recipient's identity and his own secret key, and subsequently send the message, encrypted with the generated cipher used in a conventional cipher, over an insecure channel to the recipient. In contrast to previously proposed identity-based systems, no public keys, certificates for public keys or other information need to be exchanged and thus the system is suitable for certain applications that do not allow for interaction. The paper solves an open problem proposed by Shamir in 1984.     

Key Distribution Patterns Using Tangent Circle Structures

The problem of key management in a communications network is of primary importance. A key distribution pattern is an incidence structure which provides a secure method of distributing keys in a large network reducing storage requirements. It is of interest to find explicit constructions for key distribution patterns. In O'Keefe [5–7], examples are shown using the finite circle geometries (Minkowski, Laguerre and inversive planes); in Quinn [12], examples are constructed from conics in finite projective and affine planes. In this paper, we construct some examples using the finite tangent-circle structures, introduced in Quattrocchi and Rinaldi [10] and we give a comparison of the storage requirements.     

Sliding-window dynamic frameproof codes

A sliding-window dynamic frameproof code is a scheme for discouraging the piracy of digital broadcasts through the use of digital fingerprinting. In this paper, we formally define sliding-window dynamic frameproof codes and provide optimal constructions for a certain class of these schemes. We also discuss bounds on the number of users such schemes can support.      

一种灵活的基于身份的签名方案

在基于身份的密钥提取过程中,使密钥生成器在私钥中嵌入随机数,从而使得密钥提取具有较好的灵活性,使得用户对一个身份可具备多个私钥,这无疑会增加密钥使用的安全性;基于这种新的密钥提取思路,给出一个基于身份的签名体制,新的密钥提取方式使得它具有更好的安全性和灵活性;新的基于身份的签名体制中具有最少对运算,因此,与类似的方案相比,其具备较好的计算效率;新签名体制的安全性依赖于k-合谋攻击问题(k-CAAP)的困难性,其在适应性选择消息和ID攻击下具备强不可伪造性,并且其安全性证明具有紧规约性.     

Secret sharing schemes with partial broadcast channels

In a conventional secret sharing scheme a dealer uses secure point-to-point channels to distribute the shares of a secret to a number of participants. At a later stage an authorised group of participants send their shares through secure point-to-point channels to a combiner who will reconstruct the secret. In this paper, we assume no point-to-point channel exists and communication is only through partial broadcast channels. A partial broadcast channel is a point-to-multipoint channel that enables a sender to send the same message simultaneously and privately to a fixed subset of receivers. We study secret sharing schemes with partial broadcast channels, called partial broadcast secret sharing schemes. We show that a necessary and sufficient condition for the partial broadcast channel allocation of a (t, n)-threshold partial secret sharing scheme is equivalent to a combinatorial object called a cover-free family. We use this property to construct a (t, n)-threshold partial broadcast secret sharing scheme with O(log n) partial broadcast channels. This is a significant reduction compared to n point-to-point channels required in a conventional secret sharing scheme. Next, we consider communication rate of a partial broadcast secret sharing scheme defined as the ratio of the secret size to the total size of messages sent by the dealer. We show that the communication rate of a partial broadcast secret sharing scheme can approach 1/O(log n) which is a significant increase over the corresponding value, 1/n, in the conventional secret sharing schemes. We derive a lower bound on the communication rate and show that for a (t,n)-threshold partial broadcast secret sharing scheme the rate is at least 1/t and then we propose constructions with high communication rates. We also present the case of partial broadcast secret sharing schemes for general access structures, discuss possible extensions of this work and propose a number of open problems.      

Key distribution patterns using Minkowski planes

A key distribution pattern is a combinatorial structure which provides a secure method of distributing secret keys among a number of participants in a cryptographic scheme. Inversive and Laguerre planes have been used to construct key distribution patterns with storage requirements lower than the trivial distribution system. In this note we construct key distribution patterns from Minkowski planes, the third of the so-calledcircle geometries.The author acknowledges the support of the Australian Research Council