Yvo Desmedt

A secure and efficient conference key distribution system

We present practical conference key distribution systems based on public keys, which authenticate the users and which are ‘proven’ secure provided the Diffie-Hellman problem is intractable. A certain number of interactions is needed but the overall cost is low. There is a complexity tradeoff. Depending on the network used, we either have a constant (in the number of conference participants) number of rounds (exchanges) or a constant communication and computation overhead. Our technique for authentication can be extended and used as the basis for an authentication scheme which is ‘proven’ secure against any type of attack, provided the Discrete Logarithm problem is intractable.

Advances in Cryptology — CRYPTO ’94

This paper drrcribes ail improved version of linear cryptanalysis and its applicat,ion t,o t .hr first, successful coniput,er experiment in breaking the full 16-round DES. ‘Ihe scenario is a known-p]a.intext at,ta.ck based on t,wo new linear approximate equations, each of which provides candidates for 13 secret. key bits wit,h negligible memory. Moreover, reliability of the key candidates is taken into consideration, which increases the siicccss r a k . As a result, the full 16-round DES is breakable wit,h high success probability if 243 random plaintexts and their ciphertexts are available. Thc aiit,hor ca.rried out, the first experimental attack iisiiig twrlvr computers to confirm t , l i k : t i c lirially reached all of the 56 secret, key bit.s i n fifty days, out o f which f0rt.y clays were spent for generating plaintexts and t,heir ciphertexts and only t>en days were spent for tshe actual key search.

Society and Group Oriented Cryptography: A New Concept

Messages are frequently addressed to a group of people, e.g., board of directors. Conventional and public key systems (in the sense of Diffie and Hellman [4]) are not adapted when messages are intended for a group instead of for an individual. To deeply understand the lack of usefulness of the above cryptmystems in the case that messages are intended for (or are originating from) a group of people, let u s now nevertheless attempt to use these systems. When conventional and public key systems are used to protect privacy, the legitimate receiver(s) has (have) to know the secret key to decrypt. This means that, a first solution could be, to send the message to dl members of the group, e.g., using their public keys. A second is that the secret key is known to all membexs and that the message is sent only once. All other solutions using a conventional or public key system, are combinations of the above two solutions. We now explain briefly why these two obvious solutions are not adapted to security needs specific to the protection of information intended for groups.

A New Paradigm of Hybrid Encryption Scheme

In this paper, we show that a key encapsulation mechanism (KEM) does not have to be IND-CCA secure in the construction of hybrid encryption schemes, as was previously believed. That is, we present a more efficient hybrid encryption scheme than Shoup [12] by using a KEM which is not necessarily IND-CCA secure. Nevertheless, our scheme is secure in the sense of IND-CCA under the DDH assumption in the standard model. This result is further generalized to universal2 projective hash families.

How to share a function securely

We define the primitive of function sharing, a functional analog of secret sharing, and employ it to construct novel cryptosystems. The basic idea of function sharing is to split a hard to compute (trapdoor) function into shadow functions (or share-functions). The intractable function becomes easy to compute at a given point value when given any threshold (at least t out of i) of shadow functions evaluations at that point. Otherwise, the function remains hard. Furthermore, the function must remain intractable even after exposing up to t— 1 shadow functions and exposing values of all shadow functions at polynomially many inputs. The primitive enables the distribution of the power to perform cryptography (signature, decryption, etc.) to agents. This enables the design of various novel cryptosystems with improved integrity, availability and security properties. Our model should be contrasted with the model of secure function evaluation protocols. We require no channeIs between agents holding the shadow functions, as the agents act non-interactively on a publicly available input. Our security solely relies on secure memories (and results) as in regular cr yptosyst ems. In secure function evaluation, on the other hand, it is necessary to have private/ secured bilateral channels, interactive protocol, and security of all inputs – in addition to secure memories. *Dip. di Informatica ed Applicazioni Universit& di Salerno, Baronissi (SA), Italy. t Dept. of EE&CS, Univ. of Wisconsin Milwaukee, WI. Partially supported by NSF Grant NCR-9106327.

Optimum traitor tracing and asymmetric schemes

GTE Laboratories Incorporated, Waltham, MA.

Multi-receiver/multi-sender network security: efficient authenticated multicast/feedback

IBM T. J. Watson Research Center, Yorktown Heights, NY. Permission to co y without fee all or part of this material is x granted provide that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association of Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. STOC 945/94 Montreal, Quebec, Canada . @ 1994 ACM 0-89791 -663-8194/0005...

A secure and scalable Group Key Exchange system

3.50

Efficient and Secure Conference-Key Distribution

A traceability scheme is a broadcast encryption scheme such that a data supplier T can trace malicious authorized users (traitors) who gave a decryption key to an unauthorized user (pirate). This paper first derives lower bounds on the sizes of keys and ciphertexts. These bounds are all tight because an optimum one-time use scheme is also presented. We then propose a multiple-use scheme which approximately meets our bounds. This scheme is proven to be secure as well as much more efficient than the schemes by Chor, Fiat and Naor. Finally, practical types of asymmetric schemes with arbiter are discussed in which T cannot frame any authorized user as a traitor.

Perfectly Secure Message Transmission Revisited

The authors extend the use of traditional point-to-point message authentication to multireceiver and/or multisender scenarios. They provide efficient cryptographic authentication methods for point-to-multipoint communication, where a single sender can broadcast (multicast) only one unconditionally secure authenticator for a message and which all receivers can verify. They further develop multipoint-to-point communication (incast) in which any subset (of a specified size) of a group of individuals can transmit a single authenticator (or a signature) for a message using the groups key. This method has been called threshold authentication. It is an application layer that is transparent to the receiver which only deals with the group as one entity. The bandwidth, computations, and storage overheads are reduced substantially when compared with the traditional approach. Threshold authentication hides some aspects of the internal structure of the group, which may be important in interenterprise communication.<<ETX>>