Re: Encryption with broadcast-only server-timed release

From: Francois Grieu (fgrieu_at_francenet.fr)
Date: 08/29/04 

Date: Sun, 29 Aug 2004 13:53:15 +0200

Solving most of the original problem [*],
daw@taverner.cs.berkeley.edu (David Wagner) wrote:

> Let PK be the master public key for an identity-based
> cryptosystem generated by the server. Let TRp be the private
> key corresponding to identity p, as generated by the server.

Thanks for pointing this out. Seems a nice application for
Dan Boneh and Matthew Franklin's IBE
<http://crypto.stanford.edu/~dabo/papers/ibe.pdf>

> This achieves all of your requirements except the one in square
> brackets. I don't know how to satisfy the bracketed requirement
> but perhaps there is a way.

I fail to find it either.

  François Grieu

[*] Inspired by the abstract at <http://eprint.iacr.org/2004/211>,
I was wondering if a cryptosystem can be setup that achieves the
following "Public-key encryption with broadcast-only server-timed
release":

- A trusted server is setup; it publishes parameters and
  public key PK, then regularly a "timed release" value
  TRp, with p increasing from 0, say each day. The server
  never receives any information.

- Encrypters can use PK and p to encrypt a message M to
  C = ENC(M,PK,p), and publish it independently of the
  server.

- Decrypters having obtained C can decipher it back into M
  only with the help of TRp when it is published, as
  M = DEC(C,PK,TRp) [preferably: that should work using
  any TRq for q>=p, rather than just TRp]

- PK and TRp have size sub-linear with the maximum value
  of p (if any).

Note: Without the latest criterion, any public key encryption
system deemed safe in the future will do: just generate
in advance a number of public/private key pairs, agregate the
public keys into PK, release one secret key each day as TRp.

Note: the "any TRq for q>=p" thing makes it more difficult
to guess which message a receiver is decrypting by observing
the traffic from server to decrypter.

Relevant Pages

  • Encrypting off-site with certificates public key
    ... I thought it would be wise to use a certificate encryption scheme to allow ... Then the data is written into a varbinarycolumn on the central server ... For some reason the public key is generating a different algorithm on .NET ...
    (microsoft.public.sqlserver.security)
  • Re: WSJ Online: Voltage Unveils Encryption Program
    ... > proposed what they called identity-based encryption. ... > person's e-mail address, for example, could act as a public key, avoiding ... Server A makes a private key for you. ... had used PGP instead and put that directly in Outlook [not as some ad ...
    (sci.crypt)
  • Re: Encryption keys
    ... In other words, since the public key is public, anyone can ... cert plus the time stamp on the server), ... > simple hash like SHA1or something, then it is pretty easy to brute ... >> SSL uses asymmetric encryption, ...
    (microsoft.public.dotnet.general)
  • RE: Hardcoding RijndaelManaged Keys
    ... Let me clarify here -- RijndealManaged is an implementation of the AES encryption algorithm, ... The key and IV must be the same on both the server and the client, otherwise there is no possible way for the server to decrypt the client's data. ... request a public key from the server, then encrypt the data using this public key and send the encrypted data to the server which results in 2 round ...
    (microsoft.public.dotnet.security)
  • Re: makecert EnvelopedData bad key
    ... > machine for a client machine, which would allow encryption on the ... The question is who is the encryption targetted to? ... If it is only meant for a server process to decrypt, ... - encrypt this secret symmetric key with the server-certificate's public key ...
    (microsoft.public.platformsdk.security)