[crypto] [E.Kiltz@cwi.nl: [risc-list] RISC@CWI : Saurabh Panjwani (UC San Diego)]

R. Hirschfeld ray@unipay.nl
Tue, 4 Jul 2006 15:14:36 +0200 

------- Start of forwarded message -------
Date: Tue, 4 Jul 2006 12:51:03 +0200
From: "Eike Kiltz" <E.Kiltz@cwi.nl>
To: risc-list@cwi.nl
Subject: [risc-list] RISC@CWI : Saurabh Panjwani (UC San Diego)

Dear Colleague,

on Wednesday, July 5, there is a RISC seminar
from 11.00 h until 12.00 h at *CWI* in room 280 with a talk by

- ---------------------------------------------------------------------------------
Saurabh Panjwani (UC San Diego)
*To Collude or Not to Collude: The case of Broadcast and Multicast Encryption*
- ---------------------------------------------------------------------------------

Yours sincerely,

Ronald Cramer (CWI & Leiden University) and
Eike Kiltz (CWI)



Title: "To Collude or Not to Collude: The case of Broadcast and
Multicast Encryption"
Speaker: Saurabh Panjwani (UCSD)

We analyze group key distribution protocols for broadcast and
multicast scenarios that make blackbox use of symmetric-key encryption
and a pseudorandom generator (PRG) in deriving the group center's
messages. We first show that for a large class of such protocols, in
which each transmitted ciphertext is of the form $E_{K_1}(K_2)$ (E
being the encryption operation;
K_1,K_2 being random/pseudorandom keys), security in the presence of a
single malicious receiver is equivalent to that in the presence of
collusions of corrupt receivers. On the flip side, we find that for
protocols that "nest" the encrytion function (use ciphertexts created
by enciphering ciphertexts themselves), such an equivalence fails to
hold: there exist protocols that use nested encryption, are secure
against single miscreants but are collusions-insecure.

Our equivalence and separation results are first proven in a symbolic,
Dolev-Yao style adversarial model and subsequently "translated" in
computational terms using a general soundness theorem (of the flavor
of the Abadi-Rogaway theorem for encrypted expressions). Both
equivalence and separation are shown to hold in the computational
world under mild syntactic conditions (like the absence of encryption
cycles).

We apply our results to the security analysis of eleven existing key
distribution protocols. As part of our analysis, we uncover security
weaknesses in seven
of these protocols, and provide simple fixes that result in provably
secure protocols.

This is joint work with Daniele Micciancio, also from UCSD.
------- End of forwarded message -------