Results 11  20
of
184
Concealing complex policies with hidden credentials
 In Proceedings of 11th ACM Conference on Computer and Communications Security
, 2004
"... Hidden credentials are useful in protecting sensitive resource requests, resources, policies, and credentials. We propose a significant performance improvement when implementing hidden credentials using Boneh/Franklin Identity Based Encryption. We also propose a substantially improved secret splitti ..."
Abstract

Cited by 70 (2 self)
 Add to MetaCart
Hidden credentials are useful in protecting sensitive resource requests, resources, policies, and credentials. We propose a significant performance improvement when implementing hidden credentials using Boneh/Franklin Identity Based Encryption. We also propose a substantially improved secret splitting scheme for enforcing complex policies, and show how it improves concealment of policies from nonsatisfying recipients. Categories and Subject Descriptors
Hidden Credentials
, 2003
"... Hidden Credentials are useful in situations where requests for service, credentials, access policies and resources are extremely sensitive. We show how transactions which depend on fulfillment of policies described by monotonic boolean formulae can take place in a single round of messages. We furthe ..."
Abstract

Cited by 62 (4 self)
 Add to MetaCart
Hidden Credentials are useful in situations where requests for service, credentials, access policies and resources are extremely sensitive. We show how transactions which depend on fulfillment of policies described by monotonic boolean formulae can take place in a single round of messages. We further show how credentials that are never revealed can be used to retrieve sensitive resources.
Secret sharing made short
, 1988
"... Abstract. A wellknown fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret ..."
Abstract

Cited by 61 (0 self)
 Add to MetaCart
Abstract. A wellknown fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications). We present an mthreshold scheme, where m shares recover the secret but m 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size $ plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of 5 is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable. The scheme is very simple and combines in a natural way traditiond (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function. 1
ZeroKnowledge Proofs for Finite Field Arithmetic, or: Can ZeroKnowledge be for Free?
 IN PROC. CRYPTO
, 1997
"... We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 ..."
Abstract

Cited by 60 (5 self)
 Add to MetaCart
We present zeroknowledge proofs and arguments for arithmetic circuits over finite prime fields, namely given a circuit, show in zeroknowledge that inputs can be selected leading to a given output. For a field GF (q), where q is an nbit prime, a circuit of size O(n), and error probability 2 , our protocols require communication of O(n ) bits. This is the same worstcast complexity as the trivial (non zeroknowledge) interactive proof where the prover just reveals the input values. If the circuit involves n multiplications, the best previously known methods would in general require communication of \Omega\Gamma n log n) bits. Variations of the
Some Improved Bounds on the Information Rate of Perfect Secret Sharing Schemes (Extended Abstract)
, 1998
"... this paper, graphs do not have loops or multiple edges; a graph with multiple edges will be termed a multigraph. If G is a graph, we denote the vertex set of G by V(G) and the edge set by E(G). G is connected if any two vertices are joined by a path. The complete graph Kn is the graph on n vertices ..."
Abstract

Cited by 55 (4 self)
 Add to MetaCart
this paper, graphs do not have loops or multiple edges; a graph with multiple edges will be termed a multigraph. If G is a graph, we denote the vertex set of G by V(G) and the edge set by E(G). G is connected if any two vertices are joined by a path. The complete graph Kn is the graph on n vertices in which any two vertices are joined t by an edge. The complete multipartite graph Knl,n 2 ..... at is a graph on ' ni vertices, in which i=l the vertex set is partitioned into subsets of size ni (1 < i < t), such that vw is an edge if and only if v and w are in different subsets of the partition. An alternative way to characterize a complete multipartite graph is to say that the complementary graph is a vertexdisjoint union of cliques
Redistributing Secret Shares to New Access Structures and Its Applications
, 1997
"... Proactive secret sharing deals with refreshing secret shares, i.e., redistributing the shares of a secret to the original access structure. In this paper we focus on the general problem of redistributing shares of a secret key. Shares of a secret have been distributed such that access sets specified ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
Proactive secret sharing deals with refreshing secret shares, i.e., redistributing the shares of a secret to the original access structure. In this paper we focus on the general problem of redistributing shares of a secret key. Shares of a secret have been distributed such that access sets specified in the access structure \Gamma (e.g., toutofl) can access (or use) the secret. The problem is how to redistribute the secret, without recovering it, in such a way that those specified in the new access structure \Gamma 0 will be able to recover the secret. We also adapt our scheme such that it can be used in the context of threshold cryptography and discuss its applications to secure databases. 1 Introduction Since it invention, several improvements and variants of threshold schemes [6, 34] and general secret sharing [22] have been presented. In proactive secret sharing schemes [30, 20] (see also [10]), shares of a secret are being refreshed by the participants to avoid a mobile atta...
Robust InformationTheoretic Private Information Retrieval
 Proc. of the 28th International Colloquium on Automata, Languages and Programming, volume 2076 of Lecture Notes in Computer Science
, 2002
"... A Private Information Retrieval (PIR) protocol allows a user to retrieve a data item of its choice from a database, such that the servers storing the database do not gain information on the identity of the item being retrieved. PIR protocols were studied in depth since the subject was introduced in ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
A Private Information Retrieval (PIR) protocol allows a user to retrieve a data item of its choice from a database, such that the servers storing the database do not gain information on the identity of the item being retrieved. PIR protocols were studied in depth since the subject was introduced in Chor, Goldreich, Kushilevitz, and Sudan 1995. The standard definition of PIR protocols raises a simple question  what happens if some of the servers crash during the operation? How can we devise a protocol which still works in the presence of crashing servers? Current systems do not guarantee availability of servers at all times for many reasons, e.g., crash of server or communication problems. Our purpose is to design robust PIR protocols, i.e., protocols which still work correctly even if only k out of # servers are available during the protocols' operation (the user does not know in advance which servers are available). We present various robust PIR protocols giving different tradeoffs between the different parameters. These protocols are incomparable, i.e., for different values of n and k we will get better results using different protocols. We first present a generic transformation from regular PIR protocols to robust PIR protocols, this transformation is important since any improvement in the communication complexity of regular PIR protocol will immediately implicate improvement in the robust PIR protocol communication. We also present two specific robust PIR protocols. Finally, we present robust PIR protocols which can tolerate Byzantine servers, i.e., robust PIR protocols which still work in the presence of malicious servers or servers with corrupted or obsolete databases. 1
Rapid Demonstration of Linear Relations Connected by Boolean Operators
 In EUROCRYPT ’97
, 1997
"... . Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed ..."
Abstract

Cited by 44 (0 self)
 Add to MetaCart
(Show Context)
. Consider a polynomialtime prover holding a set of secrets. We describe how the prover can rapidly demonstrate any satisfiable boolean formula for which the atomic propositions are relations that are linear in the secrets, without revealing more information about the secrets than what is conveyed by the formula itself. Our protocols support many proof modes, and are as secure as the Discrete Logarithm assumption or the RSA/factoring assumption. 1 Introduction Consider a polynomialtime prover that has committed to a vector of secrets and wants to demonstrate that the secrets satisfy some satisfiable formula from propositional logic, where the atomic propositions are relations that are linear in the secrets. An example formula is \Gamma (5x 1 \Gamma 3x 2 = 5) AND (2x 2 + 3x 3 = 7) \Delta OR \Gamma NOT(x 1 + 4x 3 = 5) \Delta ; where (x 1 ; : : : ; x k ) is the prover's vector of secrets. The prover does not want to reveal any more information about its secrets than what is co...
Access control and signatures via quorum secret sharing
 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
, 1998
"... We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separ ..."
Abstract

Cited by 44 (11 self)
 Add to MetaCart
(Show Context)
We suggest a method of controlling the access to a secure database via quorum systems. A quorum system is a collection of sets (quorums) every two of which have a nonempty intersection. Quorum systems have been used for a number of applications in the area of distributed systems. We propose a separation between access servers, which are protected and trustworthy, but may be outdated, and the data servers, which may all be compromised. The main paradigm is that only the servers in a complete quorum can collectively grant (or revoke) access permission. The method we suggest ensures that, after authorization is revoked, a cheating user Alice will not be able to access the data even if many access servers still consider her authorized and even if the complete raw database is available to her. The method has a low overhead in terms of communication and computation. It can also be converted into a distributed system for issuing secure signatures. An important building block in our method is the use of secret sharing schemes that realize the access structures of quorum systems. We provide several efficient constructions of such schemes which may be of interest in their own right.
Distributing Trust on the Internet
 in Proc. International Conference on Dependable Systems and Networks (DSN2001
, 2000
"... This paper describes an architecture for secure and faulttolerant service replication in an asynchronous network such as the Internet, where a malicious adversary may corrupt some servers and control the network. It relies on recent protocols for randomized Byzantine agreement and for atomic broadc ..."
Abstract

Cited by 42 (7 self)
 Add to MetaCart
(Show Context)
This paper describes an architecture for secure and faulttolerant service replication in an asynchronous network such as the Internet, where a malicious adversary may corrupt some servers and control the network. It relies on recent protocols for randomized Byzantine agreement and for atomic broadcast, which exploit concepts from threshold cryptography. The model and its assumptions are discussed in detail and compared to related work from the last decade in the first part of this work, and an overview of the broadcast protocols in the architecture is provided. The standard approach in faulttolerant distributed systems is to assume that at most a certain fraction of servers fails. In the second part, novel general failure patterns and corresponding protocols are introduced. They allow for realistic modeling of realworld trust assumptions, beyond (weighted) threshold models. Finally, it is discussed how three different applications can be realized using such an architecture: ...