Advances in Cryptology — CRYPTO’ 99

This paper presents a new signature forgery strategy.The attack is a sophisticated variant of Desmedt-Odlyzko’s method [11] where the attacker obtains the signatures of m₁, ..., m_τ−1 and exhibits the signature of an m_τ which was never submitted to the signer; we assume that all messages are padded by a redundancy function µ before being signed.Before interacting with the signer, the attacker selects µ smooth1µ(m_i)-values and expresses µ(m_τ) as amultiplicative combination of the padded strings µ(m₁), ..., µ(m_τ−1). The signature of m_τ is then forged using the homomorphic property of RSA.For din ni-17.4, pkcs #1 v2.0 and ssl-3.02, the attack is only theoretical since it only applies to specific moduli and happens to be less efficient than factoring; therefore, the attack does not endanger any of these standards.

The RSA public key cryptosystem is based on a single modular equation in one variable. A natural generalization of this approach is to consider systems of several modular equations in several variables. In this paper we consider Patarin’s Hidden Field Equations (HFE) scheme, which is believed to be one of the strongest schemes of this type. We represent the published system of multivariate polynomials by a single univariate polynomial of a special form over an extension field, and use it to reduce the cryptanalytic problem to a system of ∈m2 quadratic equations in m variables over the extension field. Finally, we develop a new relinearization method for solving such systems for any constant ∈ > 0 in expected polynomial time. The new type of attack is quite general, and in a companion paper we use it to attack other multivariate algebraic schemes, such as the Dragon encryption and signature schemes. However, we would like to emphasize that the polynomial time complexities may be infeasibly large for some choices of the parameters, and thus some variants of these schemes may remain practically unbroken in spite of the new attack.

At Eurocrypt’98, Boyko, Peinado and Venkatesan presented simple and very fast methods for generating randomly distributed pairs of the form (x; gx mod p) using precomputation. The security of these methods relied on the potential hardness of a new problem, the so-called hidden subset sum problem. Surprisingly, apart from exhaustive search, no algorithm to solve this problem was known. In this paper, we exhibit a security criterion for the hidden subset sum problem, and discuss its implications on the practicability of the precomputation schemes. Our results are twofold. On the one hand, we present an efficient lattice-based attack which is expected to succeed if and only if the parameters satisfy a particular condition that we make explicit. Experiments have validated the theoretical analysis, and show the limitations of the precomputation methods. For instance, any realistic smart-card implementation of Schnorr’s identification scheme using these precomputations methods is either vulnerable to the attack, or less efficient than with traditional precomputation methods. On the other hand, we show that, when another condition is satisfied, the pseudo-random generator based on the hidden subset sum problem is strong in some precise sense which includes attacks via lattice reduction. Namely, using the discrete Fourier transform, we prove that the distribution of the generator’s output is indistinguishable from the uniform distribution. The two conditions complement each other quite well, and therefore form a convincing picture of the security level.

We discuss several applications of information theory in cryptography, both for unconditional and for computational security. Unconditionally-secure secrecy, authentication, and key agreement are reviewed. It is argued that unconditional security can practically be achieved by exploiting the fact that cryptography takes place in a physical world in which, for instance due to noise, nobody can have complete information about the state of a system.The general concept of an information-theoretic cryptographic primitive is proposed which covers many previously considered primitives like oblivious transfer, noisy channels, and multi-party computation. Many results in information-theoretic cryptography can be phrased as reductions among such primitives We also propose the concept of a generalized random oracle which answers more general queries than the evaluation of a random function. They have applications in proofs of the computational security of certain cryptographic schemes.This extended abstract summarizes in an informal and non-technical way some of the material presented in the author’s lecture to be given at Crypto ’99.

We provide a simple secret-key two-party secure communication scheme, which is provably information-theoretically secure in the limited-storage-space model. The limited-storage-space model postulates an eavesdropper who can execute arbitrarily complex computations, and is only limited in the total amount of storage space (not computation space) available to him. The bound on the storage space can be arbitrarily large (e.g. terabytes), as long as it is fixed. Given this bound, the protocol guarantees that the probability of the eavesdropper of gaining any information on the message is exponentially small. The proof of our main results utilizes a novel combination of linear algebra and Kolmogorov complexity considerations.

A function f is computationally securely computable if two computationally-bounded parties Alice, having a secret input x, and Bob, having a secret input y, can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x,y) while (2) Alice learns essentially nothing.We prove that, if any non-trivial function can be so computed, then so can every function. Consequently, the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-trivial function f.

We present adaptively-secure efficient solutions to several central problems in the area of threshold cryptography. We prove these solutions to withstand adaptive attackers that choose parties for corruption at any time during the run of the protocol. In contrast, all previously known efficient protocols for these problems were proven secure only against less realistic static adversaries that choose and fix the subset of corrupted parties before the start of the protocol run.Specifically, we provide adaptively-secure solutions for distributed key generation in discrete-log based cryptosystems, and for the problem of distributed generation of DSS signatures (threshold DSS). We also show how to transform existent static solutions for threshold RSA and proactive schemes to withstand the stronger adaptive attackers. In doing so, we introduce several techniques for the design and analysis of adaptively-secure protocols that may well find further applications.

We present a protocol for two parties to generate an RSA key in a distributed manner. At the end of the protocol the public key: a modulus N = PQ, and an encryption exponent e are known to both parties. Individually, neither party obtains information about the decryption key d and the prime factors of N: P and Q. However, d is shared among the parties so that threshold decryption is possible.

An optimally resilient distributed multiplication protocol that enjoys the property of non-interactivity is presented. The protocol relies on a standard cryptographic assumption and works over a complete, synchronous, untappable network with a broadcast channel. As long as no disruption occurs, each player uses those channels only once to send messages; thus no interaction is needed among players. The cost is an increase in local computation and communication complexity that is determined by the factor of the threshold.As an application of the proposed protocol we present a robust threshold version of the Cramer-Shoup cryptosystem, which is the first non-interactive solution with optimal resilience.

A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We present a new construction for PVSS schemes, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions. The running time is O(nk), where k is a security parameter, and n is the number of participants, hence essentially optimal. The intractability assumptions are the standard Diffie-Hellman assumption and its decisional variant. We present several applications of our PVSS scheme, among which is a new type of universally verifiable election scheme based on PVSS. The election scheme becomes quite practical and combines several advantages of related electronic voting schemes, which makes it of interest in its own right.

We consider a range of attacks on reduced-round variants of the block cipher Skipjack. In particular we concentrate on the role of truncated differentials and consider what insight they give us into the design and long-term security of Skipjack. An attack on the full 32 rounds of Skipjack remains elusive. However we give attacks on the first 16 rounds of Skipjack that can efficiently recover the key with about 217 chosen plaintexts and an attack on the middle sixteen rounds of Skipjack which recovers the secret key using only two chosen plaintexts. Several high-probability truncated differentials are presented the existence of which might best be described as surprising. Most notably, we show that the techniques used by Biham et al. can be presented in terms of truncated differentials and that there exists a 24-round truncated differential that holds with probability one.

This paper describes new methods for fast correlation attacks on stream ciphers, based on techniques used for constructing and decoding the by now famous turbo codes. The proposed algorithm consists of two parts, a preprocessing part and a decoding part. The preprocessing part identifies several parallel convolutional codes, embedded in the code generated by the LFSR, all sharing the same information bits. The decoding part then finds the correct information bits through an iterative decoding procedure. This provides the initial state of the LFSR.

Siegenthaler proved that an n input 1 output, m-resilient (balanced mth order correlation immune) Boolean function with algebraic degree d satisfies the inequality: m + d ≤ n − 1. We provide a new construction method using a small set of recursive operations for a large class of highly nonlinear, resilient Boolean functions optimizing Siegenthaler’s inequality m + d = n − 1. Comparisons to previous constructions show that better nonlinearity can be obtained by our method. In particular, we show that as n increases, for almost all m, the nonlinearity obtained by our method is better than that provided by Seberry et al in Eurocrypt’93. For small values of n, the functions constructed by our method is better than or at least comparable to those constructed using the methods provided in papers by Filiol et al and Millan et al in Eurocrypt’98. Our technique can be used to construct functions on large number of input variables with simple hardware implementation.

We describe a message authentication algorithm, UMAC, which can authenticate messages (in software, on contemporary machines) roughly an order of magnitude faster than current practice (e.g., HMAC-SHA1), and about twice as fast as times previously reported for the universal hash-function family MMH. To achieve such speeds, UMAC uses a new universal hash-function family, NH, and a design which allows effective exploitation of SIMD parallelism. The “cryptographic” work of UMAC is done using standard primitives of the user’s choice, such as a block cipher or cryptographic hash function; no new heuristic primitives are developed here. Instead, the security of UMAC is rigorously proven, in the sense of giving exact and quantitatively strong results which demonstrate an inability to forge UMAC-authenticated messages assuming an inability to break the underlying cryptographic primitive. Unlike conventional, inherently serial MACs, UMAC is parallelizable, and will have ever-faster implementation speeds as machines offer up increasing amounts of parallelism. We envision UMAC as a practical algorithm for next-generation message authentication.

This paper introduces two new ideas in the construction of fast universal hash functions geared towards the task of message authentication. First, we describe a simple but novel family of universal hash functions that is more efficient than many standard constructions. We compare our hash functions to the MMH family studied by Halevi and Krawczyk [12]. All the main techniques used to optimize MMH work on our hash functions as well. Second, we introduce additional techniques for speeding up our constructions; these techniques apply to MMH and may apply to other hash functions. The techniques involve ignoring certain parts of the computation, while still retaining the necessary statistical properties for secure message authentication. Finally, we give implementation results on an ARM processor. Our constructions are general and can be used in any setting where universal hash functions are needed; therefore they may be of independent interest.

Practical MACs are typically designed by iterating applications of some fixed-input-length (FIL) primitive, namely one like a block cipher or compression function that only applies to data of a fixed length. Existing security analyses of these constructions either require a stronger security property from the FIL primitive (eg. pseudorandomness) than the unforgeability required of the final MAC, or, as in the case of HMAC, make assumptions about the iterated function itself. In this paper we consider the design of iterated MACs under the (minimal) assumption that the given FIL primitive is itself a MAC. We look at three popular transforms, namely CBC, Feistel and the Merkle-Damgård method, and ask for each whether it preserves unforgeability. We show that the answer is no in the first two cases and yes in the third. The last yields an alternative cryptographic hash function based MAC which is secure under weaker assumptions than existing ones, although at a slight increase in cost.

Many cryptographic solutions based on pseudorandom functions (for common problems like encryption, message-authentication or challenge-response protocols) have the following feature: There is a stateful (counter based) version of the scheme that has high security, but if, to avoid the use of state, we substitute a random value for the counter, the security of the scheme drops below the birthday bound. In some situations the use of counters or other forms of state is impractical or unsafe. Can we get security beyond the birthday bound without using counters?This paper presents a paradigm for strengthening pseudorandom function usages to this end, the idea of which is roughly to use the XOR of the values of a pseudorandom function on a small number of distinct random points in place of its value on a single point. We establish two general security properties of our construction, “pseudorandomness” and “integrity”, with security beyond the birthday bound. These can be applied to derive encryption schemes, and MAC schemes (based on universal hash functions), that have security well beyond the birthday bound, without the use of state and at moderate computational cost.

Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

This note continues a sequence of attempts to define efficient digital signature schemes based on low-degree polynomials, or to break such schemes. We consider a scheme proposed by Satoh and Araki (1997), which generalizes the Ong-Schnorr-Shamir scheme to the non-commutative ring of quaternions. We give two different ways to break the scheme.

The function decomposition problem can be stated as: Given the algebraic expression of the composition of two mappings, how can we identify the two factors? This problem is believed to be in general intractable [1]. Based on this belief, J. Patarin and L. Goubin designed a new family of candidates for public key cryptography, the so called “2R—schemes” [10], [11]. The public key of a “2R”-scheme is a composition of two quadratic mappings, which is given by n polynomials in n variables over a finite field K with q elements. In this paper, we contend that a composition of two quadratic mappings can be decomposed in most cases as long as q > 4. Our method is based on heuristic arguments rather than rigorous proofs. However, through computer experiments, we have observed its effectiveness when applied to the example scheme “D**” given in [10].

We present an algorithm for factoring integers of the form N = prq for large r. Such integers were previously proposed for various cryptographic applications. When r ≈ log p our algorithm runs in polynomial time (in log N). Hence, we obtain a new class of integers that can be efficiently factored. When r ≈ $$ r \approx \sqrt {\log {\mathbf{ }}p} $$ the algorithm is asymptotically faster than the Elliptic Curve Method. Our results suggest that integers of the form N = prq should be used with care. This is especially true when r is large, namely r greater than $$ \sqrt {\log {\mathbf{ }}p} $$.

We construct a public key encryption scheme in which there is one public encryption key, but many private decryption keys. If some digital content (e.g., a music clip) is encrypted using the public key and distributed through a broadcast channel, then each legitimate user can decrypt using its own private key. Furthermore, if a coalition of users collude to create a new decryption key then there is an efficient algorithm to trace the new key to its creators. Hence, our system provides a simple and efficient solution to the “traitor tracing problem”. Our tracing algorithm is deterministic, and catches all active traitors while never accusing innocent users, although it is only partially “black box”. A minor modification to the scheme enables it to resist an adaptive chosen ciphertext attack. Our techniques apply error correcting codes to the discrete log representation problem.

Traitor tracing schemes were introduced so as to combat the typical piracy scenario whereby pirate decoders (or access control smart-cards) are manufactured and sold by pirates to illegal subscribers. Those traitor tracing schemes, however, are ineffective for the currently less common scenario where a pirate publishes the periodical access control keys on the Internet or, alternatively, simply rebroadcasts the content via an independent pirate network. This new piracy scenario may become especially attractive (to pirates) in the context of broadband multicast over the Internet. In this paper we consider the consequences of this type of piracy and offer countermeasures. We introduce the concept of dynamic traitor tracing which is a practical and efficient tool to combat this type of piracy. We also consider the static watermarking problem, presented by Boneh and Shaw, and derive bounds on the performance parameters of the “natural majority algorithm”.

In many applications for content distribution, broadcast channels are used to transmit information from a distribution center to a large set of users. Broadcast encryption schemes enable the center to prevent certain users from recovering the information that is broadcast in encrypted form, while traceability schemes enable the center to trace users who collude to produce pirate decoders. In this paper, we study general methods for integrating traceability and broadcasting capability. In particular, we present a method for adding any desired level of broadcasting capability to any traceability scheme and a method for adding any desired level of traceability to any broadcast encryption scheme. To support our general methods, we also present new constructions of broadcast encryption schemes which are close to optimal in terms of the total number keys required. Our new schemes are the first to be both maximally resilient and fully scalable.

Cryptosystem designers frequently assume that secrets will be manipulated in closed, reliable computing environments. Unfortunately, actual computers and microchips leak information about the operations they process. This paper examines specific methods for analyzing power consumption measurements to find secret keys from tamper resistant devices. We also discuss approaches for building cryptosystems that can operate securely in existing hardware that leaks information.

Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely effective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad—hoc and can easily be rendered ineffective. A scientific approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single—chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove a lower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties.

A cryptographic protocol possesses separability if the participants can choose their keys independently of each other. This is advantageous from a key-management as well as from a security point of view. This paper focuses on separability in group signature schemes. Such schemes allow a group member to sign messages anonymously on the group’s behalf. However, in case of this anonymity’s misuse, a trustee can reveal the originator of a signature. We provide a generic fully separable group signature scheme and present an efficient instantiation thereof. The scheme is suited for large groups; the size of the group’s public key and the length of signatures do not depend on the number of group member. Its efficiency is comparable to the most efficient schemes that do not offer separability and is an order of magnitude more efficient than a previous scheme that provides partial separability. As a side result, we provide efficient proofs of the equality of two discrete logarithms from different groups and, more general, of the validity of polynomial relations in ℤ among discrete logarithms from different groups.

We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the Fiat-Shamir and Ong-Schnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient.

We introduce the notion of abuse-free distributed contract signing, that is, distributed contract signing in which no party ever can prove to a third party that he is capable of choosing whether to validate or invalidate the contract. Assume Alice and Bob are signing a contract. If the contract protocol they use is not abuse-free, then it is possible for one party, say Alice, at some point to convince a third party, Val, that Bob is committed to the contract, whereas she is not yet. Contract protocols with this property are therefore not favorable to Bob, as there is a risk that Alice does not really want to sign the contract with him, but only use his willingness to sign to get leverage for another contract. Most existing optimistic contract signing schemes are not abuse-free. (The only optimistic contract signing scheme to date that does not have this property is inefficient, and is only abuse-free against an off-line attacker.) We give an efficient abuse-free optimistic contract-signing protocol based on ideas introduced for designated verifier proofs (i.e., proofs for which only a designated verifier can be convinced). Our basic solution is for two parties. We show that straightforward extensions to n > 2 party contracts do not work, and then show how to construct a three-party abuse-free optimistic contract-signing protocol. An important technique we introduce is a type of signature we call a private contract signature. Roughly, these are designated verifier signatures that can be converted into universally-verifiable signatures by either the signing party or a trusted third party appointed by the signing party, whose identity and power to convert can be verified (without interaction) by the party who is the designated verifier.

We extend the study of non-interactive statistical zero-knowledge proofs. Our main focus is to compare the class NISZK of problems possessing such non-interactive proofs to the class SZK of problems possessing interactive statistical zero-knowledge proofs. Along these lines, we first show that if statistical zero knowledge is non-trivial then so is non-interactive statistical zero knowledge, where by non-trivial we mean that the class includes problems which are not solvable in probabilistic polynomial-time. (The hypothesis holds under various assumptions, such as the intractability of the Discrete Logarithm Problem.) Furthermore, we show that if NISZK is closed under complement, then in fact SZK = NISZK, i.e. all statistical zero-knowledge proofs can be made non-interactive.The main tools in our analysis are two promise problems that are natural restrictions of promise problems known to be complete for SZK. We show that these restricted problems are in fact complete for NISZK and use this relationship to derive our results comparing the two classes. The two problems refer to the statistical difference, and difference in entropy, respectively, of a given distribution from the uniform one. We also consider a weak form of NISZK, in which only requires that for every inverse polynomial 1=p(n), there exists a simulator which achieves simulator deviation 1=p(n), and show that this weak form of NISZK actually equals NISZK.

Concurrent Zero-Knowledge protocols remain zero-knowledge even when many sessions of them are executed together. These protocols have applications in a distributed setting, where many executions of the same protocol must take place at the same time by many parties, such as the Internet. In this paper, we are concerned with the number of rounds of interaction needed for such protocols and their efficiency. Here, we show an efficient constant-round concurrent zero-knowledge protocol with preprocessing for all languages in NP, where both the preprocessing phase and the proof phase each require 3 rounds of interaction. We make no timing assumptions or assumptions on the knowledge of the number of parties in the system. Moreover, we allow arbitrary interleavings in both the preprocessing and in the proof phase. Our techniques apply to both zero-knowledge proof systems and zero-knowledge arguments and we show how to extend our technique so that polynomial number of zero-knowledge proofs/arguments can be executed after the preprocessing phase is done.

This paper studies All-or-Nothing Transforms (AONTs), which have been proposed by Rivest as a mode of operation for block ciphers. An AONT is an unkeyed, invertible, randomized transformation, with the property that it is hard to invert unless all of the output is known. Applications of AONTs include improving the security and speed of encryption. We give several formal definitions of security for AONTs that are stronger and more suited to practical applications than the original definitions. We then prove that Optimal Asymmetric Encryption Padding (OAEP) satisfies these definitions (in the random oracle model). This is the first construction of an AONT that has been proven secure in the strong sense. Our bound on the adversary’s advantage is nearly optimal, in the sense that no adversary can do substantially better against the OAEP than by exhaustive search. We also show that no AONT can achieve substantially better security than OAEP.

We prove the equivalence of two definitions of non-malleable encryption appearing in the literature— the original one of Dolev, Dwork and Naor and the later one of Bellare, Desai, Pointcheval and Rogaway. The equivalence relies on a new characterization of non-malleable encryption in terms of the standard notion of indistinguishability of Gold-wasser and Micali. We show that non-malleability is equivalent to in-distinguishability under a “parallel chosen ciphertext attack,” this being a new kind of chosen ciphertext attack we introduce, in which the adversary’s decryption queries are not allowed to depend on answers to previous queries, but must be made all at once. This characterization simplifies both the notion of non-malleable encryption and its usage, and enables one to see more easily how it compares with other notions of encryption. The results here apply to non-malleable encryption under any form of attack, whether chosen-plaintext, chosen-ciphertext, or adaptive chosen-ciphertext.

This paper shows a generic and simple conversion from weak asymmetric and symmetric encryption schemes into an asymmetric encryption scheme which is secure in a very strong sense — indistinguishability against adaptive chosen-ciphertext attacks in the random oracle model. In particular, this conversion can be applied efficiently to an asymmetric encryption scheme that provides a large enough coin space and, for every message, many enough variants of the encryption, like the ElGamal encryption scheme.

Most anonymous, electronic cash systems are signature-based. A side effect of this is that in these systems the bank has the technical ability to issue unreported, valid money. It has been noticed in the past that this may lead to a disaster if the secret key of the bank is compromised. Furthermore, the above feature prevents any effective monitoring of the system.In this paper we build a fully anonymous, auditable system, by constructing an electronic cash system that is signature-free, and where the bank needs to have no secret at all. The security of the system relies instead on the ability of the bank to maintain the integrity of a public database. Our system takes a completely new direction for meeting the above requirements, and, in particular, it is the first to do so without the necessity of making individual transactions potentially traceable: payers enjoy unconditional anonymity for their payment transactions. The system is theoretically efficient but not yet practical.

We provide protocols for the following two-party problem: One party, the sender, has N values and the other party, the receiver, would like to learn k of them, deciding which ones in an adaptive manner (i.e. the ith value may depend on the first i-1 values). The sender does not want the receiver to obtain more than k values. This is a variant of the well known Oblivious Transfer (OT) problem and has applications in protecting privacy in various settings.We present efficient protocols for the problem that require an O(N) computation in the preprocessing stage and fixed computation (independent of k) for each new value the receiver obtains. The on-line computation involves roughly log N invocations of a 1-out-2 OT protocol. The protocols are based on a new primitive, sum consistent synthesizers.

A private-key cryptosystem may be viewed as a means by which a trusted dealer privately conveys a large, shared pseudo-random object to a pair of players, using little communication. Alternatively, the messages distributed by the dealer may be viewed as a secure compression of a pair of large identical random pads (or random functions) into a shorter shared “key” or “seed”.We pose the question of extending this compression problem to more general correlation patterns among several players. Unlike the simple case of identical pads, where the main security concern is with respect to external eavesdroppers, in the case of general correlations participants also have to be protected from each other. That is, collusions of computationally-bounded players should gain no additional knowledge about the joint pads of the remaining players from the compressed messages they receive, other than what follows from the pads they generate and from knowing the joint distribution of all pads. While this ideal requirement is inherently impossible to meet using little communication, it turns out that it can be approximated to a satisfactory level, allowing to securely use such compressed correlated pads in a wide class of protocols. We propose a simple and modular replication-based approach for securely compressing any linear correlation pattern, using pseudo-random generators or pseudo-random functions in a black-box manner. Applications include amortizing the communication costs of private multi-party computation and proactive secret-sharing of large secrets.

We consider the broadcast exclusion problem: how to transmit a message over a broadcast channel shared by N = 2n users so that all but some specified coalition of k excluded users can understand the contents of the message. Using error-correcting codes, and avoiding any computational assumptions in our constructions, we construct natural schemes that completely avoid any dependence on n in the transmission overhead.Specifically, we construct: (i) (for illustrative purposes), a randomized scheme where the server’s storage is exponential (in n), but the transmission overhead is O(k), and each user’s storage is O(kn); (ii) a scheme based on polynomials where the transmission overhead is O(kn) and each user’s storage is O(kn); and (iii) a scheme using algebraic-geometric codes where the transmission overhead is O(k2) and each user is required to store O(kn) keys. In the process of proving these results, we show how to construct very good cover-free set systems and combinatorial designs based on algebraic-geometric codes, which may be of independent interest and application. Our approach also naturally extends to solve the problem in the case where the broadcast channel may introduce errors or lose information.

Several variations of rooted tree based solutions have been recently proposed for member revocation in multicast communications [18, 19, 20, 21]. In this paper, we show that by assigning probabilities for member revocations, the optimality, correctness, and the system requirements of some of these schemes [18, 19, 20, 21] can be systematically studied using information theoretic concepts. Specifically, we show that the optimal average number of keys per member in a rooted tree is related to the entropy of the member revocation event. Using our derivations we show that (a) the key assignments in [18, 21, 20, 19] correspond to the maximum entropy solution, (b) and direct application of source coding will lead to member collusion (we present recently proposed solutions [21, 20] as examples of this) and a general criteria that admits member collusion. We also show the relationship between entropy of member revocation event and key length.