DOCSLIB.ORG

Broadcast Encryption CMLAB, 2008 Outline

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Broadcast Encryption CMLAB, 2008 Outline Broadcast Encryption CMLAB, 2008 Outline • Introduction • Definition • Key management • Secret key distribution • Traitor tracing for broadcast encryption Introduction • Broadcast encryption ▫ Amos Fiat & Moni Naor, CRYPTO’93 ▫ Securely transmit a message to all members of the privileged subset Privileged users Broadcast Center Non-privileged users Introduction • How broadcast encryption works? ▫ Key management block Is sent at the beginning of a broadcast Is prerecorded on blank media ▫ Each recipient (device) reads the key management block and processes it to yield a management key Introduction • Simplest broadcast scheme Introduction • Applications ▫ Copy protection for PC games Introduction • Broadcast encryption vs. public key cryptography ▫ Broadcast encryption is fast ▫ All calculations in broadcast encryption are done using simple symmetric encryptions ▫ Public key calculations require exponentiation operations over a finite field Introduction ▫ For classic cryptography, secrets are easier to be found while handshaking ▫ For broadcast encryption, secrets are hidden much more deeply in the software Definition-Preliminaries • U ▫ The set of receivers (users) • S ▫ S U ▫ The set of revoked receivers (users who we do not want to be able to decrypt the next transmission) • T ▫ U \S ▫ The set of privileged (i.e., non-revoked) users • F: KxMF→CF ▫ F: encryption algorithm K: key space MF: message space CF: ciphertext space Definition • Broadcast encryption ▫ A broadcast encryption scheme is a triple of algorithm (SETUP, BROADCAST, DECRYPT) such that: SETUP takes a user u U and constructs that receiver’s private information PuP BROADCAST takes the list of revoked users S and the session key and outputs a broadcast message M A user u U runs the decryption algorithm DECRYPT(M, Pu,u) to compute the K associated with M, assuming u T 11 Definition-Resiliency • Resiliency ▫ A broadcast scheme is called resilient to set S if for every subset T (T∩S=Φ), no eavesdropper that has all secrets associated with members of S, can obtain knowledge of the secret common to T ▫ k-resilient The scheme is resilient to any set S U of size k U T S k Definition-Resiliency ▫ (k,p)-resilient The scheme is resilient to a 1-p fraction of sets S U of size k U T S k 13 Definition-Resiliency • Example: A basic scheme ▫ For every set B U, 0|B|k, define a key KB and give KB to every user xU-B ▫ The common key to the privileged set T is the exclusive or of all keys KB, BU-T ▫ Every coalition S with less than k users will all be missing key KS and will therefore be unable to compute the common key for any privileged set T (T∩S=Φ) K B1 KB2 S B2 Bj B1 T KBj 14 Key management • Issues ▫ How to assign and store the keys ▫ How to save the key storage for both the server and clients ▫ How to update the keys when users join or leave • A comprehensive survey A. Wool, 2000 A simple scheme The extended-header scheme Suppose that a program p belongs to t packages for t users Broadcast ENCKp(p) to users Header: ID Key 1 Es1(Kp) …. … t Est(Kp) Key management ▫ Matrix-based schemes Content protection for recordable media (CPRM) Content protection for prerecorded media (CPPM) (for the DVD audio) Media key block Device keys Drawbacks: The size of the matrix Sensitive to insider attacks 15 Key management ▫ The media key block is prerecorded on blank media at manufacturing time ▫ The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk ▫ The media key block is the encryption of the media key using different device key 16 Ed00(km) Ed01(km) …… >2500 Ed10(km) ….. ….. Ekm(data) 16 Key management – CPRM key matrix 16 device keys 17 18 Key management • Other possible scenarios 19 Key management • The state update problem ▫ Content is encrypted using a group key which is known to a group of users in many scenarios ▫ When users leave or join the group, the group key must be changed Prevent leaving members from decrypting content in the future Prevent joining members from decrypting previous content (backward secrecy) O(n) messages ▫ How to reduce the overhead of the key update messages? Key management ▫ When a group member leave, GC must change the group key and inform all group members Kg(Kg’) ? Forward secrecy? S1(Kg’), S2(Kg’), S3(Kg’), … ▫ Tree-based schemes Wallner, 1997 and Wong, 1997 → Logical key hierarchy (LKH) trees Manage key changes 20 Key management – LKH (Logical Key Hierarchy) trees – A central server (key server) for each group holds a key tree – Each device is associated with a leaf of the tree – Each member holds a key path, from leaf up to the root 21 Key management – Suppose device 13 is revoked – Using sibling keys(gray nodes) to encrypt the new management key and delivering the encrypted management key to sub-trees of these gray nodes 22 23 Key management • But how to deliver new internal keys? Key management – NNL trees – IBM, 2001 – The photographic negative of the LKH tree – The device has every key in the tree except the keys between its leaf and the root 24 Secret key distribution • Secret Sharing Schemes Xn: a set of users, Γ 2X is a set of subsets called autorized subsets. In a secret sharing scheme, the TA (trusted authority) has one secre t value k G F( q ), called the key. The TA will distribute secret information to each user in X , in such a way that any authorized subset can compute k from the shares they jointly hold, but no una uthorized subset has any information about k. The secret information given to user iu will be denoted i and is called the share of user i. 25 Secret key distribution • Shamir threshold KPS (Key pre-distribution scheme) Let qn1 be a prime power 1. The TA chooses n distinct non-zero ran dom numbers xii G F( q ), and gives x to user i (1 i n ). These values do not need to be secret. 2. The TA constructs a random polynomial of degree at most t-1 t-1 f( x ) a x ii i 0 having coefficients in G F( q ). The key is the constant term a 0 . 3. The TA computes the polynimail yii f( x ) and gives yii to user . 26 Secret key distribution • Shamir threshold KPS e.g. Suppose we construct a scheme in GF (17 ) and the public values are xi i,1 i 5. Suppose that the TA chooses the polynomail f ( x) 13 10 x 2 x 2 , so the key is 13. The shares that are distribute d are y1 f (1) 8, y 2 f (2) 7 ,y3 f (3) 10 , y 4 f (4) 0 ,y 5 f (5) 11 Any 3 of the ordered pairs (1,8), (2,7), (3,10), (4,0), (5,11) can be used to reconstruc t the polynomial f . 27 28 Traitor tracing for broadcast encryption • Tracing traitors ▫ B. Chor, A. Fiat, M. Naor, & B. Pinkas, CRYPTO’94 & 98 ▫ Confiscate a pirate decoder to determine the identity of a traitor ▫ Randomly assign the decryption keys to users ▫ Make the probability of exposing an innocent user negligible 29 Traitor tracing for broadcast encryption • A simple scheme ▫ Keys 2k2 … a a 2 a1,1 1,2 1,2 k … a 2 a 2 ,1 a 2,2 2,2 k l … … … … … a a a 2 l ,1 l ,2 l ,2 k ▫ l hash functions h1, h2, …, hl 2 hi: {1,…,n}{1,…,2k } hi(u) the ith key for user u 30 Traitor tracing for broadcast encryption ▫ Personal key of user u P(u) {a , a ,..., a } … 1,h1 (u ) 2,h2 (u ) l ,hl (u ) Enabling ▫ 2k2l encrypted keys block … a a 2 a1,1 1,2 1,2 k … s E a (s1 ), E a (s1 ),..., E a (s1 ) … … … Cipher 1 ,1 1 , 2 2 a a 1, 2 k a 2 block 2 ,1 2,2 2,2 k ... … E (s ), E (s ),..., E (s ) a l ,1 l a l ,1 l a 2 l Decrypt l , 2 k a a a 2 l ,1 l ,2 l ,2 k ▫ Decrypt si and compute secret s s s1 s2 ... sl 31 Traitor tracing for broadcast encryption • Tracing s {a }{a a }{a a a }...{ a a ,... a 2 } 1 1,1 1,1 1,2 1,1 1,2 1,3 1,1 1,2 1,2 k s {a }{a a }{a a a }...{ a a ,... a 2 } 2 2 ,1 2 ,1 2 ,2 2 ,1 2 ,2 2 ,3 2,1 2 ,2 2 ,2 k .... s {a }{a a }{a a a }...{ a a ,... a 2 } l l ,1 l ,1 l ,2 l ,1 l ,2 l ,3 l ,1 l ,2 l ,2 k {a1,3 , a 2,2 ,..., a l ,2 } F 1 1 1 Compute h1 (3), h2 (2),..., hl (2) {user 1, user 5}, {user 2, user 3, user 5}, {user5, user 6}, …,{user 2, user 7, user 9}, ….,{…} user 1 x x user 2 x …. user 5 x x x x x … user n x x Traitor tracing for broadcast encryption-Examples • Efficient Methods for Integrating Traceability and Broadcast Encryption, E. Gafni, J. Staddon, and Y. L. Yin, CRYPTO’99, LNCS 1666, pp. 372-387, 1999 33 Traitor tracing for broadcast encryption-Examples • Jessica Staddon ▫ Combinatorial properties of frameproof and traceability codes. J. Staddon, D. R. Stinson and R. Wei. IEEE Transactions on Information Theory (2001), 1042-1049.
Load more

Recommended publications
  • ACM Honors Eminent Researchers for Technical Innovations That Have Improved How We Live and Work 2016 Recipients Made Contribu
    Contact: Jim Ormond 212-626-0505 [email protected] ACM Honors Eminent Researchers for Technical Innovations That Have Improved How We Live and Work 2016 Recipients Made Contributions in Areas Including Big Data Analysis, Computer Vision, and Encryption NEW YORK, NY, May 3, 2017 – ACM, the Association for Computing Machinery (www.acm.org), today announced the recipients of four prestigious technical awards. These leaders were selected by their peers for making significant contributions that have had far-reaching impact on how we live and work. The awards reflect achievements in file sharing, broadcast encryption, information visualization and computer vision. The 2016 recipients will be formally honored at the ACM Awards Banquet on June 24 in San Francisco. The 2016 Award Recipients include: • Mahadev Satyanarayanan, Michael L. Kazar, Robert N. Sidebotham, David A. Nichols, Michael J. West, John H. Howard, Alfred Z. Spector and Sherri M. Nichols, recipients of the ACM Software System Award for developing the Andrew File System (AFS). AFS was the first distributed file system designed for tens of thousands of machines, and pioneered the use of scalable, secure and ubiquitous access to shared file data. To achieve the goal of providing a common shared file system used by large networks of people, AFS introduced novel approaches to caching, security, management and administration. AFS is still in use today as both an open source system and as the file system in commercial applications. It has also inspired several cloud-based storage applications. The 2016 Software System Award recipients designed and built the Andrew File System in the 1980s while working as a team at the Information Technology Center (ITC), a partnership between Carnegie Mellon University and IBM.
    [Show full text]
  • Compact E-Cash and Simulatable Vrfs Revisited
    Compact E-Cash and Simulatable VRFs Revisited Mira Belenkiy1, Melissa Chase2, Markulf Kohlweiss3, and Anna Lysyanskaya4 1 Microsoft, [email protected] 2 Microsoft Research, [email protected] 3 KU Leuven, ESAT-COSIC / IBBT, [email protected] 4 Brown University, [email protected] Abstract. Efficient non-interactive zero-knowledge proofs are a powerful tool for solving many cryptographic problems. We apply the recent Groth-Sahai (GS) proof system for pairing product equations (Eurocrypt 2008) to two related cryptographic problems: compact e-cash (Eurocrypt 2005) and simulatable verifiable random functions (CRYPTO 2007). We present the first efficient compact e-cash scheme that does not rely on a ran- dom oracle. To this end we construct efficient GS proofs for signature possession, pseudo randomness and set membership. The GS proofs for pseudorandom functions give rise to a much cleaner and substantially faster construction of simulatable verifiable random functions (sVRF) under a weaker number theoretic assumption. We obtain the first efficient fully simulatable sVRF with a polynomial sized output domain (in the security parameter). 1 Introduction Since their invention [BFM88] non-interactive zero-knowledge proofs played an important role in ob- taining feasibility results for many interesting cryptographic primitives [BG90,GO92,Sah99], such as the first chosen ciphertext secure public key encryption scheme [BFM88,RS92,DDN91]. The inefficiency of these constructions often motivated independent practical instantiations that were arguably conceptually less elegant, but much more efficient ([CS98] for chosen ciphertext security). We revisit two important cryptographic results of pairing-based cryptography, compact e-cash [CHL05] and simulatable verifiable random functions [CL07], that have very elegant constructions based on non-interactive zero-knowledge proof systems, but less elegant practical instantiations.
    [Show full text]
  • Data Structures Meet Cryptography: 3SUM with Preprocessing
    Data Structures Meet Cryptography: 3SUM with Preprocessing Alexander Golovnev Siyao Guo Thibaut Horel Harvard NYU Shanghai MIT [email protected] [email protected] [email protected] Sunoo Park Vinod Vaikuntanathan MIT & Harvard MIT [email protected] [email protected] Abstract This paper shows several connections between data structure problems and cryptography against preprocessing attacks. Our results span data structure upper bounds, cryptographic applications, and data structure lower bounds, as summarized next. First, we apply Fiat–Naor inversion, a technique with cryptographic origins, to obtain a data structure upper bound. In particular, our technique yields a suite of algorithms with space S and (online) time T for a preprocessing version of the N-input 3SUM problem where S3 T = O(N 6). This disproves a strong conjecture (Goldstein et al., WADS 2017) that there is no data· structure − − that solves this problem for S = N 2 δ and T = N 1 δ for any constant δ > 0. e Secondly, we show equivalence between lower bounds for a broad class of (static) data struc- ture problems and one-way functions in the random oracle model that resist a very strong form of preprocessing attack. Concretely, given a random function F :[N] [N] (accessed as an oracle) we show how to compile it into a function GF :[N 2] [N 2] which→ resists S-bit prepro- cessing attacks that run in query time T where ST = O(N 2−→ε) (assuming a corresponding data structure lower bound on 3SUM). In contrast, a classical result of Hellman tells us that F itself can be more easily inverted, say with N 2/3-bit preprocessing in N 2/3 time.
    [Show full text]
  • Human Identity and the Quest to Replace Passwords Continued
    Human identity and the quest to replace passwords continued Sirvan Almasi William J.Knottenbelt Department of Computing Department of Computing Imperial College London Imperial College London London, UK London, UK [email protected] [email protected] Abstract—Identification and authentication are vital Blockchain is proving to have many more important ap- components of many online services. For authentica- plications beyond its primary conceived application of tion, password has remained the most practical solution digital cash (Bitcoin [3] since 2009). Using it as a public- despite it being a weak form of security; whilst public- key cryptography is more secure, developing a practical key infrastructure (PKI) and identity management is two system has been an impediment to its adoption. For important examples that have tremendous implications for identification there is a lack of widely adopted protocol web applications. The likes of Namecoin [4], Blockstack [5] that isn’t dependent on trusted third parties or a and Certcoin [6] are examples of organisations attempting centralised public-key infrastructure. The Fiat–Shamir to recreate DNS, identity and certification services using identification scheme solved this issue but by assuming there was a single identity issuer to begin with, whilst blockchain. Other examples that have used the blockchain in reality you would have multiple identity issuers. as a PKI include [7] for IoT devices and [8] for identity Here we introduce deeID, a blockchain-based public- management. key infrastructure that enables multiple Fiat–Shamir The role and security of our identity in the digital identity issuers for identification. At the same time the ecosystem has taken a centre stage as the significance system is used for authentication that enables better than password security whilst remaining practical.
    [Show full text]
  • E-Cash Payment Protocols and Systems
    E-CASH PAYMENT PROTOCOLS AND SYSTEMS * MRS. J. NIMALA, Assistant Professor, PG and Research Department of Commerce with CA, Hindusthan College of Arts and Science, Coimbatore. TN INDIA ** MRS. N. MENAGA, Assistant Professor, PG and Research Department of Commerce with CA, Hindusthan College of Arts and Science, Coimbatore. TN INDIA Abstract E-cash is a payment system intended and implemented for making purchases over open networks such as the Internet. Require of a payment system which provides the electronic transactions are emergent at the similar moment that the exploit of Internet is budding in our daily life. Present days electronic payment systems have a major dilemma, they cannot switch the security and the user’s secrecy and at the same time these systems are secure on the cost of their users ambiguity. This paper shows the payment protocols for digital cash and discusses how a digital cash system can be fashioned by presenting a few of the recent day’s digital cash systems in details. We also offer a comparison and determine them mutually to see which one of them fulfils the properties for digital cash and the mandatory security level. Keywords: E-cash; Payment Protocol; Double Spending; Blind Signature. Introduction DigiCash is a private company founded in 1989 by Dr David Chaum. It has created an Internet money product, now patented, and called ‘ecash’. DigiCash’s ecash has been used for many different types of transactions. It is a stored-value cryptographic coin system that facilitates Internet-based commerce using software that runs on personal computers. It provides a way to implement anonymous electronic payments in an environment of mutual mistrust between the bank and the system users.
    [Show full text]
  • Federated Computing Research Conference, FCRC’96, Which Is David Wise, Steering Being Held May 20 - 28, 1996 at the Philadelphia Downtown Marriott
    CRA Workshop on Academic Careers Federated for Women in Computing Science 23rd Annual ACM/IEEE International Symposium on Computing Computer Architecture FCRC ‘96 ACM International Conference on Research Supercomputing ACM SIGMETRICS International Conference Conference on Measurement and Modeling of Computer Systems 28th Annual ACM Symposium on Theory of Computing 11th Annual IEEE Conference on Computational Complexity 15th Annual ACM Symposium on Principles of Distributed Computing 12th Annual ACM Symposium on Computational Geometry First ACM Workshop on Applied Computational Geometry ACM/UMIACS Workshop on Parallel Algorithms ACM SIGPLAN ‘96 Conference on Programming Language Design and Implementation ACM Workshop of Functional Languages in Introductory Computing Philadelphia Skyline SIGPLAN International Conference on Functional Programming 10th ACM Workshop on Parallel and Distributed Simulation Invited Speakers Wm. A. Wulf ACM SIGMETRICS Symposium on Burton Smith Parallel and Distributed Tools Cynthia Dwork 4th Annual ACM/IEEE Workshop on Robin Milner I/O in Parallel and Distributed Systems Randy Katz SIAM Symposium on Networks and Information Management Sponsors ACM CRA IEEE NSF May 20-28, 1996 SIAM Philadelphia, PA FCRC WELCOME Organizing Committee Mary Jane Irwin, Chair Penn State University Steve Mahaney, Vice Chair Rutgers University Alan Berenbaum, Treasurer AT&T Bell Laboratories Frank Friedman, Exhibits Temple University Sampath Kannan, Student Coordinator Univ. of Pennsylvania Welcome to the second Federated Computing Research Conference, FCRC’96, which is David Wise, Steering being held May 20 - 28, 1996 at the Philadelphia downtown Marriott. This second Indiana University FCRC follows the same model of the highly successful first conference, FCRC’93, in Janice Cuny, Careers which nine constituent conferences participated.
    [Show full text]
  • Web Search Via Hub Synthesis
    Web Search Via Hub Synthesis Dimitris Achlioptas∗ Amos Fiaty Anna R. Karlinz Frank McSherryx Small have continual plodders ever won save base authority Page [6, 25, 18] developed a highly successful search en- from others books. gine, Google [17], which orders search results according to — William Shakespeare, Loves Labours Lost. Act i. Sc. 1. PageRank, a measure of authority of the underlying page. They define themselves in terms of what they oppose. Both approaches use, chiefly, text matching to determine — George Will, On conservatives, Newsweek 30 Sep 74. the set of candidate answers to a query, and then rely on linkage information to define a ranking of these candidate Abstract web pages. Unfortunately, as every occasionally frustrated web-searcher can attest, text matching can run into trou- We present a model for web search that captures in a uni- ble with two ubiquitous phenomena: synonymy (where two fied manner three critical components of the problem: how distinct terms, like “terrorist” and “freedom-fighter”, refer the link structure of the web is generated, how the content to the same thing) and polysemy (where a single word or of a web document is generated, and how a human searcher phrase, like “bug”, has multiple distinct meanings). Syn- generates a query. The key to this unification lies in cap- onymy may cause important pages to be overlooked, while turing the correlations between these components in terms polysemy may cause authoritative pages on topics other of proximity in a shared latent semantic space. Given such than the search topic to be included. a combined model, the correct answer to a search query is Synonymy and polysemy, as problems in information well defined, and thus it becomes possible to evaluate web retrieval, long precede the advent of the web and have re- search algorithms rigorously.
    [Show full text]
  • Arxiv:1911.04124V5 [Cs.CR] 4 Aug 2021 Hra O Uhecmee Oetpriiain Hsmig This Participation
    Tuning PoW with Hybrid Expenditure Itay Tsabary Alexander Spiegleman Ittay Eyal [email protected] [email protected] [email protected] Technion, IC3 Faceook Novi Technion, IC3 Haifa, Israel Menlo Park, California, USA Haifa, Israel ABSTRACT 104, 105] that facilitate monetary ecosystems of internally-minted Proof of Work (PoW ) is a Sybil-deterrence security mechanism. It tokens, maintained by principals called miners. Miners that follow introduces an external cost to a system by requiring computational the protocol are rewarded with tokens; tokens are scarce, hence a effort to perform actions. However, since its inception, a central market forms [26, 27, 47, 111]; so, miners can sell their obtained challenge was to tune this cost. Initial designs for deterring spam tokens for fiat currency (e.g., USD, EUR), compensating them for email and DoS attacks applied overhead equally to honest partici- their PoW expenses. pants and attackers. Requiring too little effort did not deter attacks, To guarantee their security [50, 71, 128], PoW cryptocurrencies whereas too much encumbered honest participation. This might be moderate their operation rate by dynamically tuning the required the reason it was never widely adopted. computation difficulty to match miner capabilities [98, 119, 122, Nakamoto overcame this trade-off in Bitcoin by distinguishing 125]. Consequently, the PoW expenditure directly depends on to- desired from malicious behavior and introducing internal rewards ken values [15, 40, 103, 117] – higher token prices imply higher for the former. This solution gained popularity in securing cryp- mining rewards, which draw more miners to participate, leading tocurrencies and using the virtual internally-minted tokens for re- to more expended resources.
    [Show full text]
  • A Secure Message Broadcasting System (SMBS)
    Purdue University Purdue e-Pubs Department of Computer Science Technical Reports Department of Computer Science 1996 A Secure Message Broadcasting System (SMBS) Mark Crosbie Ivan Krsul Steve Lodin Eugene H. Spafford Purdue University, [email protected] Report Number: 96-019 Crosbie, Mark; Krsul, Ivan; Lodin, Steve; and Spafford, Eugene H., "A Secure Message Broadcasting System (SMBS)" (1996). Department of Computer Science Technical Reports. Paper 1275. https://docs.lib.purdue.edu/cstech/1275 This document has been made available through Purdue e-Pubs, a service of the Purdue University Libraries. Please contact [email protected] for additional information. A SECURE MESSAGE BROADCAST SYSTEM (SMBS) Mark Crosbie Ivan Krsul Steve Lodin Eugene H. Spafford DepaI1ment of Computer Sciences Purdue University West LarayeHe. IN 47907 CSD TR·96-019 March 1996 i A Secure Message Broadcast System (SMBS) Mark Crosbie Ivan Krsul Steve Ladin Eugene H. Spafford" The COASTProject Department of Computer Sciences Purdue University West Lafayette, IN 47907-1398 {mcrosbie,krsul,swlodin, spal}@cs.purdue.edu Technical Report CSD-TR-96-019 March II, 1996 1 Introduction This paper describes the design and implementation of a secure message broadcast system (SMBS). It is a secure, multi­ party chat program that ensures privacy in communication and does not rely on shared secret keys. The system was built as a study of the feasibility of building effective communication tools using zero knowledge proofs. There is a general consensus in the computer security comunity thallfaditional password based authentication mech­ anisms are insuficient in loday's globally connected environment. Mechanisms such as one-time-passwords are a partial solution to the problem.
    [Show full text]
  • Protecting Communications Against Forgery
    Algorithmic Number Theory MSRI Publications Volume 44, 2008 Protecting communications against forgery DANIEL J. BERNSTEIN ABSTRACT. This paper is an introduction to cryptography. It covers secret- key message-authentication codes, unpredictable random functions, public- key secret-sharing systems, and public-key signature systems. 1. Introduction Cryptography protects communications against espionage: an eavesdropper who intercepts a message will be unable to decipher it. This is useful for many types of information: credit-card transactions, medical records, love letters. Cryptography also protects communications against sabotage: a forger who fabricates or modifies a message will be unable to deceive the receiver. This is useful for all types of information. If the receiver does not care about the authenticity of a message, why is he listening to the message in the first place? This paper explains how cryptography prevents forgery. Section 2 explains how to protect n messages if the sender and receiver share 128(n 1) secret + bits. Section 3 explains how the sender and receiver can generate many shared secret bits from a short shared secret. Section 4 explains how the sender and receiver can generate a short shared secret from a public conversation. Section 5 explains how the sender can protect a message sent to many receivers, without sharing any secrets. Mathematics Subject Classification: 94A62. Permanent ID of this document: 9774ae5a1749a7b256cc923a7ef9d4dc. Date: 2008.05.01. 535 536 DANIEL J. BERNSTEIN 2. Unbreakable secret-key authenticators Here is a protocol for transmitting a message when the sender and receiver both know certain secrets: Secrets p, k Secrets p, k Authenticated Possibly forged Message m / / / Verification message m, a message m0, a0 The message is a polynomial m F[x] with m(0) 0 and deg m 1000000.
    [Show full text]
  • Lipics-ITCS-2018-0.Pdf (0.4
    9th Innovations in Theoretical Computer Science ITCS 2018, January 11–14, 2018, Cambridge, MA, USA Edited by Anna R. Karlin LIPIcs – Vol. 94 – ITCS2018 www.dagstuhl.de/lipics Editor Anna R. Karlin Allen School of Computer Science and Engineering University of Washington [email protected] ACM Classification 1998 F. Theory of Computation, G. Mathematics of Computing ISBN 978-3-95977-060-6 Published online and open access by Schloss Dagstuhl – Leibniz-Zentrum für Informatik GmbH, Dagstuhl Publishing, Saarbrücken/Wadern, Germany. Online available at http://www.dagstuhl.de/dagpub/978-3-95977-060-6. Publication date January, 2018 Bibliographic information published by the Deutsche Nationalbibliothek The Deutsche Nationalbibliothek lists this publication in the Deutsche Nationalbibliografie; detailed bibliographic data are available in the Internet at http://dnb.d-nb.de. License This work is licensed under a Creative Commons Attribution 3.0 Unported license (CC-BY 3.0): http://creativecommons.org/licenses/by/3.0/legalcode. In brief, this license authorizes each and everybody to share (to copy, distribute and transmit) the work under the following conditions, without impairing or restricting the authors’ moral rights: Attribution: The work must be attributed to its authors. The copyright is retained by the corresponding authors. Digital Object Identifier: 10.4230/LIPIcs.ITCS.2018.0 ISBN 978-3-95977-060-6 ISSN 1868-8969 http://www.dagstuhl.de/lipics 0:iii LIPIcs – Leibniz International Proceedings in Informatics LIPIcs is a series of high-quality conference proceedings across all fields in informatics. LIPIcs volumes are published according to the principle of Open Access, i.e., they are available online and free of charge.
    [Show full text]
  • Formal Analysis of E-Cash Protocols∗
    Formal Analysis of E-Cash Protocols∗ Jannik Dreier1, Ali Kassem2 Pascal Lafourcade3 1Institute of Information Security, Department of Computer Science, ETH Zurich, Switzerland 2 University Grenoble Alpes, VERIMAG, Grenoble, France 3University Clermont Auvergne, LIMOS, France Keywords: E-Cash, Formal Analysis, Double Spending, Exculpability, Privacy, Applied π-Calculus, ProVerif. Abstract: Electronic cash (e-cash) aims at achieving client privacy at payment, similar to real cash. Several security protocols have been proposed to ensure privacy in e-cash, as well as the necessary unforgery properties. In this paper, we propose a formal framework to define, analyze, and verify security properties of e-cash systems. To this end, we model e-cash systems in the applied π-calculus, and we define two client privacy properties and three properties to prevent forgery. Finally, we apply our definitions to an e-cash protocol from the literature proposed by Chaum et al., which has two variants and a real implementation based on it. Using ProVerif, we demonstrate that our framework is suitable for an automated analysis of this protocol. 1 Introduction In this protocol coins are non-transferable, i.e., the seller cannot spend a received coin again, but Although current banking and electronic pay- has to deposit it at the bank. If he wants to ment systems such as credit cards or, e.g., Pay- spend a coin in another shop, he has to withdraw Pal allow clients to transfer money around the a new coin from his account, similar to the usual world in a fraction of a second, they do not fully payment using cheques.
    [Show full text]