From the Publisher:
A valuable reference for the novice as well as for the expert who needs a wider scope of coverage within the area of cryptography, this book provides easy and rapid access of information and includes more than 200 algorithms and protocols; more than 200 tables and figures; more than 1,000 numbered definitions, facts, examples, notes, and remarks; and over 1,250 significant references, including brief comments on each paper.

Handbook of Applied Cryptography

The low-cost, off-the-shelf hardware components in unshielded sensor-network nodes leave them vulnerable to compromise. With little effort, an adversary may capture nodes, analyze and replicate them, and surreptitiously insert these replicas at strategic locations within the network. Such attacks may have severe consequences; they may allow the adversary to corrupt network data or even disconnect significant parts of the network. Previous node replication detection schemes depend primarily on centralized mechanisms with single points of failure, or on neighborhood voting protocols that fail to detect distributed replications. To address these fundamental limitations, we propose two new algorithms based on emergent properties (Gligor (2004)), i.e., properties that arise only through the collective action of multiple nodes. Randomized multicast distributes node location information to randomly-selected witnesses, exploiting the birthday paradox to detect replicated nodes, while line-selected multicast uses the topology of the network to detect replication. Both algorithms provide globally-aware, distributed node-replica detection, and line-selected multicast displays particularly strong performance characteristics. We show that emergent algorithms represent a promising new approach to sensor network security; moreover, our results naturally extend to other classes of networks in which nodes can be captured, replicated and re-inserted by an adversary.

/pdf/distributed-detection-of-node-replication-attacks-in-sensor-tk0j0bfswe.pdf

Distributed detection of node replication attacks in sensor networks

An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing by Chor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodology and two protocol constructions that result in the first two public-key traitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficiently large. Our starting point is the notion of copyrighted function which was presented by Naccache, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based copyrighted function. Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit by introducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightly larger (constant) overhead, however, it additionally achieves efficient black-box traitor tracing (against any pirate construction).

Traitor Tracing with constant transmission rate

In this paper we analyze perfectly secure key distribution schemes for dynamic conferences. In this setting, any member of a group of t users can compute a common key using only his private initial piece of information and the identities of the other t −1 users in the group. Keys are secure against coalitions of up to k users; that is, even if k users pool together their pieces they cannot compute anything about a key of any conference comprised of t other users. First we consider a noninteractive model where users compute the common key without any interaction. We prove the tight bound on the size of each user's piece of information of[formula]times the size of the common key. Then, we consider the model where interaction is allowed in the common key computation phase and show a gap between the models by exhibiting a one-round interactive scheme in which the user's information is only k + t −1 times the size of the common key. Finally, we present its adaptation to network topologies with neighbourhood constraints and to asymmetric (e.g., client-server) communication models.

Perfectly secure key distribution for dynamic conferences

This paper provides an exposition of methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know The problems are studied using the tools of information theory, so the security provided is unconditional (ie, not based on any computational assumption)

We begin by surveying some useful schemes for key distribution that have been presented in the literature, giving background and examples (but not too many proofs) In particular, we look more closely at the attractive concept of key distribution patterns, and present a new method for making these schemes more efficient through the use of resilient functions Then we present a general approach to the construction of broadcast schemes that combines key predistribution schemes with secret sharing schemes We discuss the Fiat-Naor Broadcast Scheme, as well as other, new schemes that can be constructed using this approach

On Some Methods for Unconditionally Secure Key Distributionand Broadcast Encryption

Fiat and Naor [5] presented at Crypto '93 a new encryption scheme designed for broadcast transmissions. The feature of this scheme is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients. In this paper we model the problem of unconditionally secure broadcast encryption schemes with an information theoretic framework. We obtain tight limitations both on the number of private keys associated with each user and on the number of keys generated by the center. Finally, we consider the model where interaction is allowed in the common key computation phase proving that the interaction cannot help in decreasing the size of the pieces of information given to the users in the broadcast encryption schemes.

/pdf/space-requirements-for-broadcast-encryption-572uyon7q5.pdf

Space requirements for broadcast encryption

We consider secret sharing schemes in which the dealer has the feature of being able (after a preprocessing stage) to activate a particular access structure out of a given set and/or to allow the participants to reconstruct different secrets (in different time instants) by sending to all participants the same broadcast message. In this paper we establish a formal setting to study such secret sharing schemes. The security of the schemes presented is unconditional, since they are not based on any computational assumption. We give bounds on the size of the shares held by participants and on the site of the broadcast message in such schemes.

/pdf/fully-dynamic-secret-sharing-schemes-541usqkq1p.pdf

Fully dynamic secret sharing schemes

A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret. If any non qualified subset has absolutely no information about the secret, then the scheme is called perfect. Unfortunately, in this case the size of the shares cannot be less than the size of the secret. Krawczyk [9] showed how to improve this bound in the case of computational threshold schemes by using Rabin's information dispersal algorithms [14], [15].

We show how to extend the information dispersal algorithm for general access structure (we call access structure, the set of all qualified subsets). We give bounds on the amount of information each participant must have. Then we apply this to construct computational schemes for general access structures. The size of shares each participant must have in our schemes is nearly minimal: it is equal to the minimal bound plus a piece of information whose length does not depend on the secret size but just on the security parameter.

/pdf/general-short-computational-secret-sharing-schemes-2ua0e6pw09.pdf

General short computational secret sharing schemes

A key distribution scheme is a method by means of which a trusted party distributes pieces of information among a set of users in such a way that each group of them can compute a common key for secure communication. In this paper we present a model for unconditionally secure key distribution schemes, i.e., schemes whose security is independent of the power of the adversary. We prove lower bounds on the amount of information the trusted party has to generate and each user has to keep secret in such schemes, and we show that some previous unconditionally secure models for key distribution fall in our model. As a consequence, the lower bounds given in the literature for these models can be seen as corollaries of our results. Hence, the main contribution of the paper consists in pointing out a sort of common structure underlying some apparently different key distribution techniques.

Antonella Cresti

Papers

Space requirements for broadcast encryption

Fully dynamic secret sharing schemes

Fully dynamic secret sharing schemes

General short computational secret sharing schemes

A unified model for unconditionally secure key distribution