G. R. Blakley

Safeguarding cryptographic keys

Certain cryptographic keys, such as a number which makes it possible to compute the secret decoding exponent in an RSA public key cryptosystem,1,5 or the system master key and certain other keys in a DES cryptosystem,3 are so important that they present a dilemma. If too many copies are distributed one might go astray. If too few copies are made they might all be destroyed. A typical cryptosystem will have several volatile copies of an important key in protected memory locations where they will very probably evaporate if any tampering or probing occurs. Since an opponent may be content to disrupt the system by forcing the evaporation of all these copies it is useful to entrust one or more other nonvolatile copies to reliable individuals or secure locations. What must the nonvolatile copies of the keys, or nonvolatile pieces of information from which the keys are reconstructed, be guarded against? The answer is that there are at least three types of incidents:

Security of ramp schemes

A k out of n p/s/r process [AS81] is a very efficient way to convey information (k words suffice to reclaim k words). But it provides virtually no cryptographic security for the information it deals with.

Digital fingerprinting codes: problem statements, constructions, identification of traitors

We consider a general fingerprinting problem of digital data under which coalitions of users can alter or erase some bits in their copies in order to create an illegal copy. Each user is assigned a fingerprint which is a word in a fingerprinting code of size M (the total number of users) and length n. We present binary fingerprinting codes secure against size-t coalitions which enable the distributor (decoder) to recover at least one of the users from the coalition with probability of error exp(-/spl Omega/(n)) for M=exp(/spl Omega/(n)). This is an improvement over the best known schemes that provide the error probability no better than exp(-/spl Omega/(n/sup 1/2/)) and for this probability support at most exp(O(n/sup 1/2/)) users. The construction complexity of codes is polynomial in n. We also present versions of these constructions that afford identification algorithms of complexity poly(n)=polylog(M), improving over the best previously known complexity of /spl Omega/(M). For the case t=2, we construct codes of exponential size with even stronger performance, namely, for which the distributor can either recover both users from the coalition with probability 1-exp(/spl Omega/(n)), or identify one traitor with probability 1.

Fingerprinting long forgiving messages

In his 1983 paper, Neal Wagner1 defines a perfect fingerprint to be an identifying fingerprint added to an object in such a way that any alteration to it that makes the fingerprint unrecognizable will also make the object unusable. A perfect fingerprinting scheme for binary data would seem difficult to devise, since it would be possible to discover the fingerprints by comparing different fingerprinted copies of the same piece of data. In this paper we discuss a fingerprinting scheme which, although it does not surmount this problem entirely, at least specifies the number of copies an opponent must obtain in order to erase the fingerprints.

Threshold Schemes with Disenrollment

When a shadow of a threshold scheme is publicized, new shadows have to be reconstructed and redistributed in order to maintain the same level of security. In this paper we consider threshold schemes with disenrollment capabilities where the new shadows can be created by broadcasts through a public channel. We establish a lower bound on the size of each shadow in a scheme that allows L disenrollments. We exhibit three systems that achieve the lower bound on shadow size.

Linear Algebra Approach to Secret Sharing Schemes

The problem of secret sharing schemes (555) in the case where all sharing functions are linear maps over a finite field is investigated. We evaluate the performance of linear secret sharing schemes using the tools of linear algebra and coding theory. In particular, the nonexistence of an ideal threshold linear 555 for the case where the number of participants is twice as large as the number of possible values of a secret is shown.

A Database Encryption Scheme Which Allows the Computation of Statistics Using Encrypted Data

Davida, Wells and Kam used the Chinese Remainder Theorem to construct an encryption system allowing access to individual data fields of a record in a relational database. Their system is public-key in the sense that the read and write keys of a given data field are different. In this paper we present a database encryption system based on ideas similar to theirs. It is not public key, but has some other useful features. It makes possible the computation of averages and other statistics pertinent to unencrypted data, but it uses only encrypted data in the computation.

Ideal perfect threshold schemes and MDS codes

Secret sharing schemes (SSS) made their appearance in the form of threshold (n,/spl tau/)-schemes in 1979. R. McEliece and D. Sarwate pointed out a relationship between threshold schemes and MDS-codes in 1981. In 1983 Karnin, Greene and Hellman gave an information-theoretic approach to SSS and proved some upper and lower bounds on the number of participants in an ideal perfect threshold SSS. The proof is based, in fact, on the observation that each ideal perfect threshold SSS determines a unique MDS code, and vice versa, when the secret and shadows belong to the same finite field. Brickell and Davenport (see Journal of Cryptology, vol.4, p.123, 1991) considered combinatorial ideal perfect SSS for the general access structure and established the relationship between such schemes and mastroids. From their results the equivalence of combinatorial ideal perfect threshold SSS and MDS codes (i.e. orthogonal arrays OA/sub 1/(/spl tau/,n+l,q)) follows almost immediately. We give an independent, self-contained proof (following the ideas of Karnin et al.) for the (formally) more general information-theoretic definition of ideal SSS.

Twenty years of cryptography in the open literature

The paper concentrates on the real world problems created in the last two decades (1973-99) by cryptographers who publish in the open literature, and also mentions what gave rise to these problems-the solutions we gave to various theoretical problems, often of our own posing. For the last twenty years (1980-99), the annual IEEE Symposia on Security and Privacy have provided us with a stimulating and encouraging environment within which to expand cryptographys structure and visibility, while exposing us to criticism from workers in other security-related areas. Cryptography has been an important component of S&P, but seldom a major one. Much work presented is from conferences other than S&P. But S&Ps influence has been ubiquitous and formative for the worldwide community of open literature cryptographers. To set the problems stage, the author presents six propositions for consideration, not necessarily for acceptance.

Random coding technique for digital fingerprinting codes: fighting two pirates revisited

This paper considers the fingerprinting problem for the particular case when coalitions of pirates consist of no more than two users. It proves that random binary fingerprinting codes are secure against size-2 coalitions with probability of error tending to zero and code rate R=1-1/21og/sub 2/3=0.2075. This is an improvement by a factor of eight over the best known schemes that provide the error probability tending to zero.