Peter R. Wild

On key assignment for hierarchical access control

A key assignment scheme is a cryptographic technique for implementing an information flow policy, sometimes known as hierarchical access control. All the research to date on key assignment schemes has focused on particular encryption techniques rather than an analysis of what features are required of such a scheme. To remedy this we propose a family of generic key assignment schemes and compare their respective advantages. We note that every scheme in the literature is simply an instance of one of our generic schemes. We then conduct an analysis of the Aki-Taylor scheme and propose a number of improvements. We also demonstrate that many of the criticisms that have been made of this scheme in respect of key updates are unfounded, finally, exploiting the deeper understanding we have acquired of key assignment schemes, we introduce a technique for exploiting the respective advantages of different schemes

Efficient multiplicative sharing schemes

Multiplicative threshold schemes are useful tools in threshold cryptography. For example, such schemes can be used with a wide variety of practical homomorphic cryptosystems (such as the RSA, the El Gamal and elliptic curve systems) for threshold decryption, signatures, or proofs. The paper describes a new recursive construction for multiplicative threshold schemes which makes it possible to extend the number of users of such schemes for a relatively small expansion of the share size. We discuss certain properties of the schemes, such as the information rate and zero knowledge aspects. The paper extends the Karnin-Greene-Hellman bound on the parameters of ideal secret sharing schemes to schemes which are not necessarily ideal and then uses this as a yardstick to compare the performance of currently known multiplicative sharing schemes.

Optimal Linear Perfect Hash Families

LetVbe a set of ordernand letFbe a set of orderq. A setS?{?:V?F} of functions fromVtoFis an (n,q,t)-perfect hash familyif for allX?Vwith |X|=t, there exists??Swhich is injective when restricted toX. Perfect hash families arise in compiler design, in circuit complexity theory and in cryptography. LetSbe an (n,q,t)-perfect hash family. The paper provides lower bounds on |S|, which better previously known lower bounds for many parameter sets. The paper exhibits new classes of perfect hash families which show that these lower bounds are realistic.

Secret Sharing with Reusable Polynomials

We present a threshold secret sharing scheme based on polynomial interpolation and the Diffie-Hellman problem. In this scheme shares can be used for the reconstruction of multiple secrets, shareholders can dynamically join or leave without distributing new shares to the existing shareholders, and shares can be individually verified during both share distribution and secret recovery.

Distributing the Encryption and Decryption of a Block Cipher

In threshold cryptography, the goal is to distribute the computation of basic cryptographic primitives across a number of nodes in order to relax trust assumptions on individual nodes, as well as to introduce a level of fault-tolerance against node compromise. Most threshold cryptography has previously looked at the distribution of public key primitives, particularly threshold signatures and threshold decryption mechanisms. In this paper, we look at the application of threshold cryptography to symmetric primitives, and in particular the encryption or decryption of a symmetric key block cipher. We comment on some previous work in this area and then propose a model for shared encryption / decryption of a block cipher. We will present several approaches to enable such systems and will compare them.

The Combinatorics of Perfect Authentication Schemes

The purpose of this paper is to prove the equivalence of perfect authentication schemes and maximum distance separable codes.

Bounds and Characterizations of Authentication/SecrecySchemes

We consider authentication/secrecy schemes from the information theoretic approach. We extend results on unconditionally secure authentication schemes and then consider unconditionally secure authentication schemes that offer perfect L-fold secrecy. We consider both ordered and unordered secrecy. We establish entropy bounds on the encoding rules for authentication schemes with these types of secrecy. We provide some combinatorial characterizations and constructions for authentication schemes having perfect L-fold secrecy that meet these bounds.

A weak cipher that generates the symmetric group

There has been recent interest in the permutation group generated by the round functions of a block cipher. In this paper we present a cautionary example of a block cipher which generates the full symmetric group yet is very weak.

Relations between two perfect ternary sequence constructions

Both R. Games [4] and V.P. Ipatov [8] have given constructions for perfect ternary sequences. Games uses difference sets and quadrics in projective space, while Ipatov uses q-ary m-sequences. We show that the Ipatov sequences are a subset of the Games sequences. Further, we show that a conjecture of Games relating to quadrics in projective spaces does not hold in general.

One-stage one-sided rearrangeable switching networks

Switching networks consisting of subscriber lines and crosswires connected by switches are considered. A connection between two subscribers is made along one crosswire via two switches. The minimum number of switches necessary for such a switching network to be rearrangeably nonblocking is determined and a switching arrangement which achieves this minimum for any (even) number of subscriber lines is constructed. Two procedures for assignment of crosswires to subscriber line pairs are described. One makes the correct choice of connection route without backtracking provided all connections are known beforehand; the other determines a rearrangement of existing assignments when a new connection is required. The switching networks which have the minimum number of switches for networks with up to eight subscriber lines and give nonisomorphic solutions for larger networks are characterized. >