Multicast Security. a multicast network is a network of users in which it is possible to send messages simultanously to all of the users

Similar documents
Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode

Dawn Song

Secret Sharing With Trusted Third Parties Using Piggy Bank Protocol

MTAT Research Seminar in Cryptography Building a secure aggregation database

Secret Sharing. See: Shamir, How to Share a Secret, CACM, Vol. 22, No. 11, November 1979, pp c Eli Biham - June 2, Secret Sharing

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

-3- Additionally or alternatively, the invention may comprise a method of controlling access to a digital wallet, the method comprising the steps:

Attribute-based encryption with encryption and decryption outsourcing

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

User-Friendly Sharing System using Polynomials with Different Primes in Two Images

T Cryptography and Data Security

Prime Field over Elliptic Curve Cryptography for Secured Message Transaction

Chapter 9. Public Key Cryptography, RSA And Key Management

Cryptography and Network Security

Some Algebraic (n, n)-secret Image Sharing Schemes

Key Management and Distribution

A Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:

Zero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)

Practical Threshold Signatures with Linear Secret Sharing Schemes

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

CSC 774 Advanced Network Security

An Overview of Secure Multiparty Computation

Signature schemes variations

Algorithms (III) Yijia Chen Shanghai Jiaotong University

1. Diffie-Hellman Key Exchange

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Attribute Based Group Key Management

T Cryptography and Data Security

9.5 Equivalence Relations

Proofs for Key Establishment Protocols

Efficient Generation of Linear Secret Sharing. Scheme Matrices from Threshold Access Trees

Zero private information leak using multi-level security and privileged access for designated authorities on demand

Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Semantic Encoding and Compression of Database Tables

Other Topics in Cryptography. Truong Tuan Anh

ISO/IEC INTERNATIONAL STANDARD

Non-Interactive Conference Key Distribution and Its Applications

Fighting Pirates 2.0

Using Commutative Encryption to Share a Secret

An Online Threshold Key Distribution Scheme for Symmetric Key Management

Lecture 07: Private-key Encryption. Private-key Encryption

A Self-healing Key Distribution Scheme with Novel Properties

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining

Digital Multi Signature Schemes Premalatha A Grandhi

More crypto and security

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Public-key Cryptography: Theory and Practice

How to securely perform computations on secret-shared data

SECRET SHARING SECRET SPLITTING

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Chapter 3 Public Key Cryptography

A Group-oriented Access Control Scheme for P2P Networks 1

Threshold Paillier and Naccache-Stern Cryptosystems Based on Asmuth-Bloom Secret Sharing

Key establishment in sensor networks

Spring 2010: CS419 Computer Security

Remote E-Voting System

CPSC 467b: Cryptography and Computer Security

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

A Thesis for the Degree of Master of Science. Provably Secure Threshold Blind Signature Scheme Using Pairings

Session key establishment protocols

Session Key Distribution

February 23 Math 2335 sec 51 Spring 2016

Lecture 2 Applied Cryptography (Part 2)

More NP-complete Problems. CS255 Chris Pollett May 3, 2006.

Session key establishment protocols

SEC 1: Elliptic Curve Cryptography

Secure Multiparty Computation

Applied Cryptography and Computer Security CSE 664 Spring 2017

Decrypting Network Traffic- Shared Access Control

Advanced Topics in Cryptography

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Attribute-Based Authenticated Key Exchange

CS Computer Networks 1: Authentication

1.264 Lecture 28. Cryptography: Asymmetric keys

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Key Escrow in Mutually Mistrusting Domains?

Cryptographic Systems

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Verifiably Encrypted Signature Scheme with Threshold Adjudication

A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.

Public-key encipherment concept

Cryptography: More Primitives

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 1: Course Introduction

On Key Assignment for Hierarchical Access Control

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

Algorithms (III) Yijia Chen Shanghai Jiaotong University

CT30A8800 Secured communications

Secure Multiparty Computation with Minimal Interaction

Crypto Background & Concepts SGX Software Attestation

NP-Complete Reductions 2

HOST Authentication Overview ECE 525

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Public Key Algorithms

Group Authentication Using The Naccache-Stern Public-Key Cryptosystem

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

A Security Infrastructure for Trusted Devices

Transcription:

Multicast Security a multicast message is a message that has many designated receivers, i.e., one-to-many communication as opposed to one-to-one communication a multicast network is a network of users in which it is possible to send messages simultanously to all of the users two benchmark scenarios for multicast security: single source broadcast a single entity broadcasts information to a long-lived, possibly dynamic, group (consisting of some or all of the users in the network) virtual conference a subset of the network users wish to form a small virtual conference, i.e., a short-lived, static, group Lecture 14, Oct. 27, 2003 1

Possible Goals in a single source broadcast, we might want to achieve one or more of the following goals: confidentiality, data integrity key revocation, key updating source authentication copyright protection in a virtual conference, we might want to achieve one or more of the following goals: establishment of a group session key (which enables confidentiality and data integrity within the group) source or group authentication anonymity shared access control Lecture 14, Oct. 27, 2003 2

Cryptographic Tools New cryptographic tools are required to enable multicast security: secret sharing schemes distributing shares of a secret in such a way that a specified threshold of shares is required to reconstruct the secret; used as a building block in more complicated protocols group key predistribution schemes KPS in whick keys are associated with groups of users of a certain size; secure against coalitions of a certain size broadcast encryption/exclusion broadcasting an encrypted message in such a way that only users in a specified group can decrypt the message; secure against coalitions of a certain size; used for group session key distribution and key updating Lecture 14, Oct. 27, 2003 3

Cryptographic Tools (cont.) tracing schemes also called fingerprinting schemes; they comprise techniques and algorithms to facilitate tracing of illegally redistributed keys and/or content back to the owners interactive group KAS KAS in which a session key is established for a specified group of users multireceiver authentication codes a MAC in which all the users in a specified group can validate the authenticity and/or the source of data transmitted by one of the group members Lecture 14, Oct. 27, 2003 4

Secret Sharing (overview) various types of shared control schemes depend on a cryptographic primitive called a (t, n)-threshold scheme let t and n be positive integers, t n we have a trusted authority, denoted TA,andn users, denoted U 1,...,U n the TA has a secret value K K, called a secret or a key, where K is a specified finite set Lecture 14, Oct. 27, 2003 5

Secret Sharing (overview) the TA uses a share generation algorithm to split K into n shares, denoted s 1,...,s n each share s i S, wheres is a specified finite set for every i, 1 i n, theshares i is transmitted by the TA to user U i using a secure channel the following two properties should hold: 1. a reconstruction algorithm can be used to reconstruct the secret, given any t of the n shares, 2. no t 1 shares reveal any information as to the value of the secret Lecture 14, Oct. 27, 2003 6

An (n, n)-threshold Scheme suppose K Z m is the secret let s 1,...,s n 1 be chosen independently and uniformly at random from Z m let s n = K n 1 i=1 s i mod m s 1,...,s n are shares of an (n, n)-threshold scheme: 1. K = s i mod m 2. given all the shares except s j, K could take on any value, depending on the value of the share s j Lecture 14, Oct. 27, 2003 7

Shamir Threshold Scheme in 1979, Shamir showed how to construct a (t, n)-threshold scheme based on polynomial interpolation over Z p,wherep is prime let p n +1beaprime let K = S = Z p in an initialization phase, x 1,x 2,...,x n are defined to be n distinct non-zero elements of Z p the TA gives x i to U i, for all i, 1 i n the x i s are public information Lecture 14, Oct. 27, 2003 8

Share Generation for the Shamir Scheme given a secret K Z p, the share generation algorithm is as follows: 1. the TA chooses a 1,...,a t 1 independently and uniformly at random from Z p 2. the TA defines a(x) =K + t 1 j=1 a j x j (note that a(x) Z p [x] is a random polynomial of degree at most t 1, such that the constant term is the secret, K) 3. for 1 i n, theta constructs the share s i = a(x i ) Lecture 14, Oct. 27, 2003 9

Reconstruction Algorithm for the Shamir Scheme suppose users U i1,...,u it want to determine K they know that s ij = a(x ij ), 1 j t since a(x) is a polynomial of degree at most t 1, they can determine a(x) by Lagrange interpolation; then K = a(0) recall the Lagrange interpolation formula: a(x) = t j=1 s ij 1 k t,k j x x ik x ij x ik set x =0: K = t j=1 s ij 1 k t,k j x ik x ij x ik = t j=1 s ij 1 k t,k j x ik x ik x ij Lecture 14, Oct. 27, 2003 10

Reconstruction Algorithm for the Shamir Scheme (cont.) for 1 j t, define b j = 1 k t,k j x ik x ik x ij the b j s do not depend on the shares, so they can be precomputed (for a given subset of t users) then K can be computed from the formula K = t b j s ij j=1 Lecture 14, Oct. 27, 2003 11

Example suppose that p = 17, t =3,andn = 5; and the public x-co-ordinates are x i = i, 1 i 5 suppose that the group G = {U 1, U 3, U 5 } wishes to compute K, given their shares 8, 10, and 11, respectively it is possible to (pre)compute b 1, b 2,andb 3 : b 1 = x 3 x 5 (x 3 x 1 )(x 5 x 1 ) mod 17 = 3 5 ( 2) 1 ( 4) 1 mod 17 = 4, b 2 = 3, and b 3 = 11 then the users in G can (collectively) compute K as follows: K =4 8+3 10 + 11 11 mod 17 = 13 Lecture 14, Oct. 27, 2003 12

Security of the Shamir Scheme suppose users U i1,...,u it 1 want to determine K they know that s ij = a(x ij ), 1 j t 1 let K 0 be arbitrary by Lagrange interpolation, there is a unique polynomial a 0 (x) such that s ij = a 0 (x ij )for1 j t 1andsuchthat K 0 = a 0 (0) hence no value of K can be ruled out, given the shares held by t 1users Lecture 14, Oct. 27, 2003 13

Key Distribution Patterns supposewehaveata and a network of n users, U = {U 1,...,U n } the TA chooses v random keys, say k 1,...,k v K, where (K, +) is an additive abelian group, and gives a (different) subset of keys to each user a key distribution pattern is a public v by n incidence matrix, denoted M, which has entries in {0, 1} M specifies which users are to receive which keys: user U j is given the key k i if and only if M[i, j] =1 for a subset P U, define keys(p )={i : M[i, j] = 1 for all U j P } Lecture 14, Oct. 27, 2003 14

Key Distribution Patterns (cont.) observe that keys(p )= keys(u j ) U j P if keys(p ), then the group key k P for the set P is defined to be k P = i keys(p ) each member of P can compute k P (no interaction requred) suppose F P = the coalition F can compute k P if and only if keys(p ) keys(u j ) U j F k i Lecture 14, Oct. 27, 2003 15

A Trivial Example Suppose n =4,v =6,andthematrixM is as follows: 1 1 0 0 1 0 1 0 1 0 0 1 M = 0 1 1 0 0 1 0 1 0 0 1 1 keys(u 1 )={1, 2, 3}, keys(u 2 )={1, 4, 5}, andkeys(u 1, U 2 )={1}, so k {U1,U 2 } = k 1. Lecture 14, Oct. 27, 2003 16

A Trivial Generalization it is always possible to construct a trivial ( n 2) by n KDP, in which any two users have exactly one common key, and each key is given to exactly two users in this KDP, each user must store n 1keys the group key for any two users is the unique key that they both possess there are ( n 2) group keys each group key k {Uj,U j } is secure against the coalition U\{U j, U j } having size n 2 Lecture 14, Oct. 27, 2003 17

A More Interesting Example Suppose n =7,v =7,andthematrixM is as follows: 1 1 1 0 1 0 0 0 1 1 1 0 1 0 0 0 1 1 1 0 1 M = 1 0 0 1 1 1 0 0 1 0 0 1 1 1 1 0 1 0 0 1 1 1 1 0 1 0 0 1 keys(u 1 )={1, 4, 6, 7}, keys(u 2 )={1, 2, 5, 7}, and keys(u 1, U 2 )={1, 7}, sok {U1,U 2 } = k 1 + k 7. Lecture 14, Oct. 27, 2003 18

Example (cont.) no other user has both k 1 and k 2,sok {U1,U 2 } is secure against any other individual user however, U 3 and U 4 (for example) together can compute k {U1,U 2 } by pooling their secret information in this example, every pair of users can compute a key that is secure against any other individual user this scheme enables the construction of ( 7 2) =21groupkeysfor pairs of users Lecture 14, Oct. 27, 2003 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback