A public key cryptosystem and a signature scheme based on discrete logarithms
Proceedings of CRYPTO 84 on Advances in cryptology
On codes with the identifiable parent property
Journal of Combinatorial Theory Series A
Perfect hash families: probabilistic methods and explicit constructions
Journal of Combinatorial Theory Series A
Explicit constructions of perfect hash families from algebraic curves over finite fields
Journal of Combinatorial Theory Series A
Identity-Based Encryption from the Weil Pairing
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '94 Proceedings of the 14th Annual International Cryptology Conference on Advances in Cryptology
Collusion-Secure Fingerprinting for Digital Data (Extended Abstract)
CRYPTO '95 Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology
Key-Privacy in Public-Key Encryption
ASIACRYPT '01 Proceedings of the 7th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
An Auction Protocol Which Hides Bids of Losers
PKC '00 Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography: Public Key Cryptography
New Constructions for IPP Codes
Designs, Codes and Cryptography
Discrete Applied Mathematics
EUROCRYPT'91 Proceedings of the 10th annual international conference on Theory and application of cryptographic techniques
Public-key cryptosystems based on composite degree residuosity classes
EUROCRYPT'99 Proceedings of the 17th international conference on Theory and application of cryptographic techniques
ASIACRYPT'07 Proceedings of the Advances in Crypotology 13th international conference on Theory and application of cryptology and information security
Mediated traceable anonymous encryption
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
TCC'10 Proceedings of the 7th international conference on Theory of Cryptography
Foundations of group signatures: the case of dynamic groups
CT-RSA'05 Proceedings of the 2005 international conference on Topics in Cryptology
Anonymity from asymmetry: new constructions for anonymous HIBE
CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Combinatorial properties of frameproof and traceability codes
IEEE Transactions on Information Theory
Mediated traceable anonymous encryption
LATINCRYPT'10 Proceedings of the First international conference on Progress in cryptology: cryptology and information security in Latin America
Hi-index | 0.00 |
The notion of key privacy for asymmetric encryption schemes was formally defined by Bellare, Boldyreva, Desai and Pointcheval in 2001: it states that an eavesdropper in possession of a ciphertext is not able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created. Since anonymity can be misused by dishonest users, some situations could require a tracing authority capable of revoking key privacy when illegal behavior is detected. Prior works on traceable anonymous encryption miss a critical point: an encryption scheme may produce a covert channel which malicious users can use to communicate illegally using ciphertexts that trace back to nobody or, even worse, to some honest user. In this paper, we examine subliminal channels in the context of traceable anonymous encryption and we introduce a new primitive termed mediated traceable anonymous encryption that provides confidentiality and anonymity while preventing malicious users to embed subliminal messages in ciphertexts. In our model, all ciphertexts pass through a mediator (or possibly several successive mediators) and our goal is to design protocols where the absence of covert channels is guaranteed as long as the mediator is honest, while semantic security and key privacy hold even if the mediator is dishonest. We give security definitions for this new primitive and constructions meeting the formalized requirements. Our generic construction is fairly efficient, with ciphertexts that have logarithmic size in the number of group members, while preventing collusions. The security analysis requires classical complexity assumptions in the standard model.